Luke,
well we'll have to look into a JSSE wrapper for OpenSSL again, although
Conscrypt has worked fine for some clients, so still worthwhile pushing
them to fix any outstanding issues.
Also, our priorities are influenced by our commercial support partners, so
just a reminder that if there are
Hi Greg,
Realistically I couldn't do the unix socket thing, I think it wouldn't be
considered secure enough since clear text sensitive data would be easily
available via that socket. Although even if that is not true, I think our
clients would just not be ok with anything other than encryption
Also I note that it appears that netty is wrapping OpenSSL as a SslEngine,
so we could look at either doing the same or even reusing their wrapper
(although it appears to pull in a lot of netty util and handlers).
On Fri, 19 Mar 2021 at 12:42, Greg Wilkins wrote:
> So unix sockets an option?
>
So unix sockets an option?
On Fri, 19 Mar 2021, 09:21 Luke B, wrote:
> Hi,
>
> From memory the difference in performance is rather large, maybe 10x or
> 20x. It really does make a difference to how many requests we can handle.
> Conscrypt takes jetty from being severely limited by the speed at
Hi,
>From memory the difference in performance is rather large, maybe 10x or
20x. It really does make a difference to how many requests we can handle.
Conscrypt takes jetty from being severely limited by the speed at which it
can transfer encrypted data, to encryption adding no meaningful
Hi,
On Mon, Mar 15, 2021 at 12:50 AM Luke B wrote:
>
> Hi,
>
> So it seems conscrypt has even more memory leaks:
> https://github.com/google/conscrypt/issues/835
> https://github.com/google/conscrypt/issues/984
>
> Conscrypt doesn't appear to be sufficiently reliable to be used in production.
>
On 3/14/2021 6:54 PM, Luke B wrote:
Unfortunately my clients want that illusion of safety and it is just
easier to give them that rather than argue with them. I really don't
care to argue this point.
I understand. In the case I dealt with, there are certain companies
that you simply do not
Luke,
That memory leak appears to be on outgoing connection attempts, not
incoming ones. So conscript should be fine for server side usage with
that... or are you also using the client?
As for options to avoid conscript, would offloaded SSL that communicates
via a unix socket rather than
Hi Shawn,
Unfortunately my clients want that illusion of safety and it is just easier
to give them that rather than argue with them. I really don't care to argue
this point.
Do you have any ideas for solving the problem at hand?
cheers,
Luke
On Mon, Mar 15, 2021 at 11:42 AM Shawn Heisey
On 3/14/2021 5:50 PM, Luke B wrote:
Setting up jetty to listen only on localhost without SSL and having an
nginx (or other web server) reverse proxy to provide SSL is possible but
unlikely something that is acceptable as encryption is required all the
way to the java process. In this case a
Hi,
So it seems conscrypt has even more memory leaks:
https://github.com/google/conscrypt/issues/835
https://github.com/google/conscrypt/issues/984
Conscrypt doesn't appear to be sufficiently reliable to be used in
production.
Setting up jetty to listen only on localhost without SSL and having
11 matches
Mail list logo