We might be able to reduce the roundtrips needed for a handshake with TLS Session Resumption

Do you mean with the one-connection-per-invocation model? If so, where should ccache store the session parameters?

I have no measurements to back this up, but my gut feeling is that if a user needs encryption we need to have a long-lived process that keeps the connection alive to get any reasonable speed. (That would certainly help for other session-based network protocols as well.) That is, let ccache start a helper process (if not already started) and communicate with it over a Unix socket. What do you think about that model?

reducing ccache startup time would involve dynamic loading of either OpenSSL or a hypothetical ccache HTTPS plugin.

Right, dynamic plugins are what I envisioned in #414, partly to not have all users pay the cost of all different backends when not using them.

Maybe we could disable OpenSSL / HTTPS support by default and add a big warning sign above the CMake option to convince distributions to not enable it for the standard packages?

I would prefer if all bundled backends are expected to be enabled by default so that the configuration doesn't have to say "if enabled", but yeah, this is the easiest option. The idea of adding a big warning sign for enabling opt-in backends didn't occur to me before... Hmm. Yes, that's maybe good enough. Distributors can then provide a default ccache package and an alternative ccache-tls package with HTTPS and Redis TLS support, etc.

I would however prefer the helper process model, but it's of course a lot more work to get there.

Couldn't you just use a local web proxy (going from http to https), instead of inventing a new backend or package ?

Couldn't you just use a local web proxy (going from http to https)

I guess you mean letting the user start a local web proxy themselves and point ccache to it? I've tried to find a simple enough HTTP(S) forward proxy to recommend but didn't find anything. Do you have any suggestion? In any case, this model seems quite complicated for the user.

Or do you mean ccache starting a local off the shelf web proxy on demand?

instead of inventing a new backend or package ?

To clarify, I don't see this as inventing a new backend but to change the way ccache handles all its network backends.

I did mean an external process, like the ones that exist for memcached and redis...

I have only used the web proxies "the other way", to terminate https before http backend.
Mostly just apache or nginx, but I guess it is a hassle - especially this way, adding certs.

https://en.wikipedia.org/wiki/TLS_termination_proxy

Adding the SSL backends using dlopen sounded good otherwise, even if complicated.

That is, having https and rediss backends available by loading extra code not in "main"
Maybe "easiest" is the different ccache builds, like having a separate ccache-tls package.

I found some simple proxy, but I forgot the name of it... Will update with link when I find it, but haven't tried it.
There were lots of proxies that handled GET request, but not so many that would also handle PUT requests.

Maybe this: https://docs.nginx.com/nginx/admin-guide/security-controls/securing-http-traffic-upstream/

We will probably need some documentation on how to set up the web server anyway, with DAV support etc ?
I found the Bazel documentation on NGINX was OK, it discussed the packages needed and example config:

https://docs.bazel.build/versions/main/remote-caching.html#setting-up-a-server-as-the-caches-backend

For the memcached backend, TLS was ignored (and handled by Couchbase "moxi").

It seems like the twemproxy "nutcracker" does not have the same TLS/SSL support.

For hostile networks, such as cloud, tunneling was used: (and UDP was disabled, only TCP)

https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html-single/security_guide/index#sect-Security_Guide-Available_Network_Services-Insecure_Services

Encrypt communication between memcached clients and servers with stunnel. Since memcached does not support TLS, a workaround is to use a proxy, such as stunnel, which provides TLS on top of the memcached protocol.

See https://redislabs.com/blog/stunnel-secure-redis-ssl/

Compare: https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/in-transit-encryption.html

EDIT: I think I misremembered, it was only username/password that was added :-)
I don't think anyone considered encrypting internal traffic back then, "too expensive" ?

TLS should be available for memcached now (2019) though, again with similar tradeoffs:
https://github.com/memcached/memcached/blob/master/doc/tls.txt (also using OpenSSL)

Even "redis-tools" (redis-cli) needs to be newer (1.0.0) and compiled with SSL support (BUILD_TLS=yes).

Maybe it would be possible to use brew also on Linux, then it can be tested using the same packaging as on the Mac

https://docs.brew.sh/Homebrew-on-Linux

$ brew install ninja pkg-config hiredis redis

Maybe this feature (SSL) can be added in 4.5 instead ?

It's definitely out of scope for 4.4 and I don't have any immediate plans to work on it for 4.5 either.

I think I meant to say "after 4.4", as in "maybe later".