Re: [load balancing] Verisign and Load Balancers

From: KJ & JC Salchow (salchowIZZATfrontiernet.net)
Date: Fri Feb 16 2001 - 01:28:06 EST

  • Next message: KJ & JC Salchow: "Re: [load balancing] Cascading switches off of a Foundry switch"

    From my experience at a Fortune 200 Electronics retailer, whose web farm
    consists of over 100 servers - you CAN technically use one cert (registered
    by FQDN) on each of the duplicate boxes. LEGALLY, however, you must pay for
    each separate one. Yes, it sucks - but since they own the certs and they
    write the license agreement, there is really nothing you can do. You can
    try getting away with it - but what happens to your site when they figure it
    out and revoke ALL of your certificates??

    Because of this, I'd like to see someone use something like the F5 BIG-IP to
    really screw with Verisign. If you combine F5's SSL termination and their
    HTTP header parsing you could do the following:

    Instead of having www.mycom.com and service.mycom.com and sales.mycom.com,
    etc. do:
    www.mycom.com and www.mycom.com/service and www.mycom.com/sales.

    The header parsing would allow all of those to operate on different
    servers - with different support, development, etc - but technically, they
    are all the same FQDN!!! I would love to see this! :-)

    Also, someone mentioned that Verisign could just say that since it was
    encrypted at one point . . . . . unfortunately for them, they wrote the
    agreement - so say in an F5 situation - it IS only one server with the
    certificate. They real question about this is what happens if you load
    balance SSL devices? Do you have to have a valid cert for EACH SSL device -
    for EACH FQDN? The way Verisigns agreement reads - YES.

    My .04.

    Ken
    ----- Original Message -----
    From: "Paris Lundis" <PLundisIZZATareaindex.com>
    To: <lb-lIZZATvegan.net>
    Sent: Thursday, February 15, 2001 4:29 PM
    Subject: Re: [load balancing] Verisign and Load Balancers

    > Kind of in regard to Eric's comments, folks like Nokia are producing
    > SSL enhancement devices that are specialized appliances... They sit in
    > front of your server cluster and basically handle a lot of the SSL
    > traffic. One of the key selling points by them (include Intel content
    > switches here too) is the reduction in the cost of server certs (ie: a
    > cert per server)...
    >
    > if you were to run these certs on a cert server appliance wouldn't that
    > be just one server :)
    >
    > games.
    >
    > Paris Lundis
    > 412-288-9901 x1038(Office)
    > 412-551-9962 (Cellular) or email 4125519962IZZATmobile.att.net
    > [finding the future in the past, passing the future in the present]
    > [connecting people, places and things]
    >
    >
    > -----Original Message-----
    > From: Eric Gray <egrayIZZATsitesmith.com>
    > Date: Thu, 15 Feb 2001 13:52:17 -0800
    > Subject: Re: [load balancing] Verisign and Load Balancers
    >
    > > I have not looked at the online application lately, but is it even
    > > possible to buy multiple certs?
    > >
    > > If you generate a new cert request and log in and try to buy another
    > > cert for yourdomain.com, something will probably choke.
    > >
    > > They could easily work around that by simply having customers mail
    > > checks each time a new web server is put online. Just put your
    > > domain
    > > name in the memo field of the check... cha ching.
    > >
    > > A frustrating case of some legal person familiar with software
    > > licensing
    > > (but not certs) influencing this document you reference.
    > >
    > > To top it off, anyone you speak to (sales in particular) won't
    > > necessarily understand the concept of a farm of idental web servers
    > > behind a load balancer. It is one big "logical server" in a way.
    > > But
    > > that kind of falls apart if you compare it to OS or app server
    > > software,
    > > which need to be licensed per server.
    > >
    > > If this takes off, it will become another bullet point for SSL
    > > acceleration outside of the web servers. Such as Ipivot or BIG-IP.
    > > But
    > > then Verisign will go, "hey, that traffic was encrypted at one time,
    > > so
    > > you still have to pay us..."
    > >
    > > Eric
    > >
    > >
    > > On Thu, Feb 15, 2001 at 03:36:51PM -0500, tony bourke wrote:
    > > > Hi All,
    > > >
    > > > I've got a question for those of you that have used Verisign and
    > > load
    > > > balancers.
    > > >
    > > > When dealing with multiple servers behind a load balancer, do you
    > > order
    > > > one cert for the entire site, or one cert for each server? I was
    > > always
    > > > under the impression that it's one cert to be used with all
    > > servers. Is
    > > > this not the case? What are y'all doing?
    > > >
    > > > Some verisuck drones are quoting this to me, out of their
    > > agreement:
    > > >
    > > > 4. Use Restrictions. You and your Customer are prohibited from
    > > using your
    > > > Customers Server ID (i) for or on behalf of any other organization,
    > > (ii)
    > > > to perform private or public key operations in connection with any
    > > domain
    > > > name and/or organization name other than the Customers name
    > > submitted by
    > > > you during enrollment, or (iii) on more than one server at a time.
    > > >
    > > > Take a look at part iii:
    > > >
    > > > (iii) on more than one server at a time.
    > > >
    > > > Any thoughts?
    > > >
    > > > Tony
    > > >
    > > >
    > > >
    > > >
    > > > --------------
    > > > -- ---- ---- --- - - - - - -- - - - - - - Tony Bourke
    > > tonyIZZATvegan.net
    > > >
    > >
    >
    >
    >



    This archive was generated by hypermail 2b30 : Fri Feb 16 2001 - 01:29:00 EST