Do I understand this right?
It supports HTTP/2, but doesn't support HTTPS. Therefore it supports HTTP/2 in a mostly unusable form, because browser vendors (for good reasons) decided to support HTTP/2 only over HTTPS.
The reason I don't want to link Varnish against a SSL library, is that in my considered opinion, they all suck.
From a purely operational point of view, you are better of with two different SSL proxies in front if your Varnish (or other webserver), so that you can turn OpenSSL off in even-numbered weeks and the other (pick your poison) in odd-numbered weeks.
The code to hold safely onto your certificate and do all the songs and dances involved in SSL/TLS, is under all circumstances something which should be isolated in as small a process/protection domain as possible.
they do. they really do. i've read your screed about this and i completely agree. absolutely appalling. in particular a marked inability to handle thread concurrency, which is pretty fatal to varnish.
however. given that tls is operationally important. and using an additional proxy causes a lot of configuration and performance headaches. isn't there any better path forward?
Hi jamwt. We haven't forgotten your(?) excellent work on stud!
Both changes.rst and the man page explain where Hitch came from.
Hitch has seen significant changes since we forked stud 0.3.2,
for example proper reload/sighup support, an improved configuration format, and OCSP stapling. Running it on a large scale (cert/ip -wise) also works better now.
If you're ever in our parts of the world, let us know and we'll buy you some beers/coffee/$beverage and tell you all about how your old project is doing.
The reference to Bump is also on the copyright notice on the license file.
As Lasse pointed out, we never meant to take away any merit from your work. If you feel we could highlight the Hitch's origin from Stud better, let us know how. We are open to suggestions.
And yes, if you ever come to Oslo, you have an open invitation to come by an test our homebrew :)
From a purely operational point of view, you are better of with two different SSL proxies in front if your Varnish (or other webserver), so that you can turn OpenSSL off in even-numbered weeks and the other (pick your poison) in odd-numbered weeks.
The code to hold safely onto your certificate and do all the songs and dances involved in SSL/TLS, is under all circumstances something which should be isolated in as small a process/protection domain as possible.