The first hit is going to be pretty expensive on the client, since it has to negotiate four different sets of keys. Subsequent requests will be better, but still take a bit of overhead on the client to decrypt each connction pseduo-simultaneously.
Perhaps a better plan would have been to create a single (or high-availability pair using "keepalived") SSL-terminating reverse proxy that map requests for certain images to standard (http, not https) webservers on a privately addressed network. This would cut down the client workload by 75% if you've got four SSL servers. Pound ( http://www.apsis.ch/pound/ ) is a great SSL-terminating reverse proxy that's very lightweight and fast. I've deployed it often and found it to be very stable, flexible, and responsive. Even on oldish hardware, it can terminate upwards of 400 SSL sessions per second... newer hardware would obviously push that number higher. Additionally, it has a FAR smaller footprint than say using Apache as proxy. Kind Regards, -dsp > Every item the browser requests, such as images, comes from a > unique/distinct connection. > > So the links to the other web servers will result in independent > connections > to the other web servers. So you should be good to go. > > > > On 4/24/06, Vishwas <[EMAIL PROTECTED]> wrote: >> >> Hello there, >> >> I have few doubts, the scenario goes as below. >> >> Scenario: There are 4 SSL-enabled Apache servers {A1, A2, A3, A4}, all >> of >> them independently controlled and have valid certificates. Now, a "user" >> on >> A1 designs an HTML page ( index.html) that refers to images from all the >> 4 >> servers. The links to these images are specified in the HTML file using >> " >> https://A[1-4]/..."; >> >> Questions: >> 1. A request for >> https://A1/~user/index.html<https://A1/%7Euser/index.html>comes, The >> requestor is going to get a SSL connection from A1. And the >> content from A1 to the browser is flowing through the SSL-tunnel. I >> think >> only the files that reside on A1 are going to flow through this tunnel >> from >> A1 to the browser!? And the files from A2, A3, and A4 are flowing >> through >> separate SSL-tunnels to the browser!? Then the browser shows only one >> PADLOCK symbol, will it be for A1? YES. Then what about the >> SSL-connections >> from A2, A3, and A4? How does browser tells its user about these >> connections? >> >> 2. Or does A1 brings the files from A2, A3, and A4 that referred inside >> the "index.html" file by the "user" and serves to the browser? >> >> Am confused. Because my understanding was SSL is Secure socket layer, >> and >> one cannot tamper with this tunnel. And I used to think, when I ask the >> browser to open some URL, it opens a connection (by obtaining a socket, >> say >> 56789, from underlying OS) to the port 80 of URL server. Now I feel, if >> the >> URL page has objects residing on other servers, my browser opens >> separate >> sockets (different from 56789) for these objects.!? Please clarify my >> doubts. Or point me to some guides et al. >> >> Thank you for your patience. >> >> -- >> Best Regards, >> Vishwas. >> > ______________________________________________________________________ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager [EMAIL PROTECTED]
