Re: [load balancing] Verisign and Load Balancers

From: Alex Samonte (
Date: Fri Feb 16 2001 - 19:33:50 EST

  • Next message: Nimesh Vakharia: "Re: [load balancing] Cascading switches off of a Foundry switch"

    On Fri, Feb 16, 2001 at 12:28:06AM -0600, KJ & JC Salchow wrote:
    > Because of this, I'd like to see someone use something like the F5 BIG-IP to
    > really screw with Verisign. If you combine F5's SSL termination and their
    > HTTP header parsing you could do the following:
    > Instead of having and and,
    > etc. do:
    > and and

    Those aren't the normal cases in which people have problems.
    It's when people have

    For that setup I still need 3 certs.

    For your example above you can get a * cert (which costs more)

    > The header parsing would allow all of those to operate on different
    > servers - with different support, development, etc - but technically, they
    > are all the same FQDN!!! I would love to see this! :-)

    some places still want different hostnames for branding:,, etc.

    Not everyone wants to live under www

    > Also, someone mentioned that Verisign could just say that since it was
    > encrypted at one point . . . . . unfortunately for them, they wrote the
    > agreement - so say in an F5 situation - it IS only one server with the
    > certificate. They real question about this is what happens if you load
    > balance SSL devices? Do you have to have a valid cert for EACH SSL device -
    > for EACH FQDN? The way Verisigns agreement reads - YES.

    Agreed. And that may not be an unreasonable request.

    I mean think about it. You're paying 15-30K for a ssl accerlator box. Is
    an additional $100 going to make that much difference? Hell they should
    bundle or have a gift certificate (no pun intended) for a verisign cert
    with each accelerator.


    This archive was generated by hypermail 2b30 : Fri Feb 16 2001 - 19:37:43 EST