On Thu, 11 Oct 2001 14:57:14 +0100, Andy Schneider wrote:
>> > The idea would be that if two such machines had SSL
>> implemented in their
>> > kernel and both administrators had appropriately configured
>> them, all
>> > communications between those two hosts could be encrypted
>> transparently with
>> > no changes to existing applications. I won't bother listing
>> all the reasons
>> > why this is a bad idea.
>Wouldn't IPSec be a better candidate?
Certainly. For at least two reasons:
1) IPsec already has the negotiation features that you would need.
2) IPsec acts below the TCP/UDP layer. Using SSL would make it very hard to
precisely replicate TCP/UDP semantics leading to lots of subtle bugs and
compatability problems
I think the misconception is that putting things in the kernel somehow makes
them faster. Even typical IPsec implementations put the heavy-duty cipher
work (like key exchange) in user space.
DS
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
