On Thu, 11 Oct 2001 14:57:14 +0100, Andy Schneider wrote:
>> > The idea would be that if two such machines had SSL >> implemented in their >> > kernel and both administrators had appropriately configured >> them, all >> > communications between those two hosts could be encrypted >> transparently with >> > no changes to existing applications. I won't bother listing >> all the reasons >> > why this is a bad idea. >Wouldn't IPSec be a better candidate? Certainly. For at least two reasons: 1) IPsec already has the negotiation features that you would need. 2) IPsec acts below the TCP/UDP layer. Using SSL would make it very hard to precisely replicate TCP/UDP semantics leading to lots of subtle bugs and compatability problems I think the misconception is that putting things in the kernel somehow makes them faster. Even typical IPsec implementations put the heavy-duty cipher work (like key exchange) in user space. DS ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]