Re: [load balancing] Verisign and Load Balancers

From: Alex Samonte (asamonteIZZATsitesmith.com)
Date: Fri Feb 16 2001 - 19:33:50 EST

  • Next message: Nimesh Vakharia: "Re: [load balancing] Cascading switches off of a Foundry switch"

    On Fri, Feb 16, 2001 at 12:28:06AM -0600, KJ & JC Salchow wrote:
    > Because of this, I'd like to see someone use something like the F5 BIG-IP to
    > really screw with Verisign. If you combine F5's SSL termination and their
    > HTTP header parsing you could do the following:
    >
    > Instead of having www.mycom.com and service.mycom.com and sales.mycom.com,
    > etc. do:
    > www.mycom.com and www.mycom.com/service and www.mycom.com/sales.

    Those aren't the normal cases in which people have problems.
    It's when people have

    www.vhost1.com www.vhost2.com www.vhost3.com

    For that setup I still need 3 certs.

    For your example above you can get a *.mycom.com cert (which costs more)

    > The header parsing would allow all of those to operate on different
    > servers - with different support, development, etc - but technically, they
    > are all the same FQDN!!! I would love to see this! :-)

    some places still want different hostnames for branding:

    my.yahoo.com, secure.ebay.com, etc.

    Not everyone wants to live under www

    > Also, someone mentioned that Verisign could just say that since it was
    > encrypted at one point . . . . . unfortunately for them, they wrote the
    > agreement - so say in an F5 situation - it IS only one server with the
    > certificate. They real question about this is what happens if you load
    > balance SSL devices? Do you have to have a valid cert for EACH SSL device -
    > for EACH FQDN? The way Verisigns agreement reads - YES.

    Agreed. And that may not be an unreasonable request.

    I mean think about it. You're paying 15-30K for a ssl accerlator box. Is
    an additional $100 going to make that much difference? Hell they should
    bundle or have a gift certificate (no pun intended) for a verisign cert
    with each accelerator.

    -Alex



    This archive was generated by hypermail 2b30 : Fri Feb 16 2001 - 19:37:43 EST