The first hit is going to be pretty expensive on the client, since it has
to negotiate four different sets of keys. Subsequent requests will be
better, but still take a bit of overhead on the client to decrypt each
connction pseduo-simultaneously.

Perhaps a better plan would have been to create a single (or
high-availability pair using "keepalived") SSL-terminating reverse proxy
that map requests for certain images to standard (http, not https)
webservers on a privately addressed network. This would cut down the
client workload by 75% if you've got four SSL servers. Pound ( ) is a great SSL-terminating reverse proxy
that's very lightweight and fast. I've deployed it often and found it to
be very stable, flexible, and responsive. Even on oldish hardware, it ca=
terminate upwards of 400 SSL sessions per second... newer hardware would
obviously push that number higher. Additionally, it has a FAR smaller
footprint than say using Apache as proxy.

Kind Regards,

> Every item the browser requests, such as images, comes from a
> unique/distinct connection.
> So the links to the other web servers will result in independent
> connections
> to the other web servers. So you should be good to go.
> On 4/24/06, Vishwas wrote:
>> Hello there,
>> I have few doubts, the scenario goes as below.
>> Scenario: There are 4 SSL-enabled Apache servers {A1, A2, A3, A4}, all
>> of
>> them independently controlled and have valid certificates. Now, a "use=

>> on
>> A1 designs an HTML page ( index.html) that refers to images from all t=

>> 4
>> servers. The links to these images are specified in the HTML file usin=

>> "
>> https://A[1-4]/..."
>> Questions:
>> 1. A request for
>> https://A1/~user/index.htmlcomes, The
>> requestor is going to get a SSL connection from A1. And the
>> content from A1 to the browser is flowing through the SSL-tunnel. I
>> think
>> only the files that reside on A1 are going to flow through this tunnel
>> from
>> A1 to the browser!? And the files from A2, A3, and A4 are flowing
>> through
>> separate SSL-tunnels to the browser!? Then the browser shows only one
>> PADLOCK symbol, will it be for A1? YES. Then what about the
>> SSL-connections
>> from A2, A3, and A4? How does browser tells its user about these
>> connections?
>> 2. Or does A1 brings the files from A2, A3, and A4 that referred insid=

>> the "index.html" file by the "user" and serves to the browser?
>> Am confused. Because my understanding was SSL is Secure socket layer,
>> and
>> one cannot tamper with this tunnel. And I used to think, when I ask th=

>> browser to open some URL, it opens a connection (by obtaining a socket=

>> say
>> 56789, from underlying OS) to the port 80 of URL server. Now I feel, i=

>> the
>> URL page has objects residing on other servers, my browser opens
>> separate
>> sockets (different from 56789) for these objects.!? Please clarify my
>> doubts. Or point me to some guides et al.
>> Thank you for your patience.
>> --
>> Best Regards,
>> Vishwas.


__________________________________________________ ____________________
Apache Interface to OpenSSL (mod_ssl)
User Support Mailing List
Automated List Manager