[phkamp]

The reason I don't want to link Varnish against a SSL library, is that in my considered opinion, they all suck.

From a purely operational point of view, you are better of with two different SSL proxies in front if your Varnish (or other webserver), so that you can turn OpenSSL off in even-numbered weeks and the other (pick your poison) in odd-numbered weeks.

The code to hold safely onto your certificate and do all the songs and dances involved in SSL/TLS, is under all circumstances something which should be isolated in as small a process/protection domain as possible.

[encoderer]

This is why i love hn. Thanks for answering this!

[convolvatron]

they do. they really do. i've read your screed about this and i completely agree. absolutely appalling. in particular a marked inability to handle thread concurrency, which is pretty fatal to varnish.

however. given that tls is operationally important. and using an additional proxy causes a lot of configuration and performance headaches. isn't there any better path forward?