{"id":1389,"date":"2009-10-05T08:24:21","date_gmt":"2009-10-05T13:24:21","guid":{"rendered":"http:\/\/www.coresecuritypatterns.com\/blogs\/?p=1389"},"modified":"2020-08-08T04:13:28","modified_gmt":"2020-08-08T04:13:28","slug":"unleashing-ssl-acceleration-and-reverse-proxying-with-kernel-ssl-kssl","status":"publish","type":"post","link":"https:\/\/websecuritypatterns.com\/blogs\/2009\/10\/05\/unleashing-ssl-acceleration-and-reverse-proxying-with-kernel-ssl-kssl\/","title":{"rendered":"Unleashing SSL Acceleration and Reverse-Proxying with Kernel SSL (KSSL)"},"content":{"rendered":"

\"\"<\/a>Last few weeks, I have been pulled into an interesting gig for demonstrating security for _____  SOA\/XML Web Services and Java EE applications…. so I had a chance to play with some untold security features of Solaris 10. KSSL<\/span><\/strong> is one of the unsung yet powerful<\/em> security features of Solaris 10.  As the name identifies, KSSL is a Solaris Kernel Module that helps representing server-side SSL protocol to help offloading operations such as SSL\/TLS based communication, SSL\/TLS termination and reverse-proxying for enduser applications. KSSL takes advantage of Solaris Cryptographic Framework (SCF), <\/strong>to act as an SSL proxy server performing complete SSL handshake processing in the Solaris Kernel and also using the underlying hardware cryptographic providers (SSL accelerators, PKCS11 Keystores and HSMs) to enable SSL acceleration and supporting secure key storage.<\/p>\n

Before I jump into how to use KSSL for offloading SSL operations, here is some compelling aspects you may want to know:<\/p>\n

    \n
  1. Helps non-intrusively introduce an SSL proxy server for Web servers, Java EE application servers and also applications that does’nt implement SSL.<\/li>\n
  2. KSSL proxy listens to all secured requests on the designated SSL port (ex. HTTPS:\/\/:443)  and renders a cleartext traffic via reverse proxy (ex. HTTP:\/\/:8080) port for the underlying Web or application server. All SSL operations including the SSL handshake and session state are performed asynchronously in the Solaris Kernel and without the knowledge of the target application server.<\/li>\n
  3. KSSL automatically uses SCF for offloading operations to underlying hardware cryptographic providers with no extra effort needed.<\/li>\n
  4. Manages all the SSL certificates independently supporting most standard formats (ex. PKCS12, PEM),  the key artifacts can be stored in a flatfile or a PKCS11 conformant keystore (If you are worried about loosing the private key).<\/li>\n
  5. Supports the use Solaris zones, where each IP identified zone can be configured with a KSSL proxy<\/li>\n
  6. Delivers 25% – 35% faster SSL performance<\/span> in comparison with traditional SSL configurations of most popular Web servers and Java EE application servers.<\/li>\n
  7. KSSL can be used to delegate Transport-layer security and the applications may choose to implement WS-Security mechanisms for message-layer security.<\/li>\n<\/ol>\n

    Those are some compelling aspects of KSSL that are hard to ignore…. if you really understand the pain from performance overheads<\/em> associated with SSL\/TLS \ud83d\ude42  As I verified, KSSL works well with most common Web servers and Java EE applications servers.<\/p>\n

    Try it yourself<\/h2>\n

    Certainly it is worth a try…and you should able to do it very quickly than configuring SSL for your web sever !<\/p>\n