SSL Offloading

<< Back to Technical Glossary

SSL Offloading Definition

SSL offloading is the process of removing the SSL based encryption from incoming traffic that a web server receives to relieve it from decryption of data. Security Socket Layer (SSL) is a protocol that ensures the security of HTTP traffic and HTTP requests on the internet. SSL traffic can be compute intensive since it requires encryption and decryption of traffic. SSL (called TLS or Transport Layer Security now) relies on public key cryptography to encrypt communications between the client and server sending messages safely across networks. Encryption of sensitive information protects against potential hackers and man-in-the-middle attacks.

Image depicting ssl offloading through a load balancer that ensures security of http to https traffic from applications to webservers.

What is SSL Offloading?

SSL is a cryptographic procedure that secures communications over the internet. SSL encoding ensures user communications are secure. The encryption and decryption of SSL are CPU intensive and can put a strain on server resources. In order to balance the compute demands of SSL encryption and decryption of traffic sent via SSL connections, SSL offloading moves that processing to a dedicated server. This frees the web server to handle other application delivery demands.

How does SSL Offloading Work?

SSL offloading relieves a web server of the processing burden of encrypting and decrypting traffic sent via SSL. Every web browser is compatible with SSL security protocol, making SSL traffic common. The processing is offloaded to a separate server designed specifically to perform SSL acceleration or SSL termination. SSL certificates use cryptography keys for encryption. RSA keys of increasing key lengths (e.g. 1024 bits and 2048 bits) were the most common cryptography keys until a few years ago. But more efficient ECC (Elliptic Curve Cryptography) keys of shorter key lengths are replacing the RSA keys as the mechanism to encrypt traffic.

How to Configure SSL Offloading?

To configure SSL offloading, organizations enable routing of SSL requests to an application delivery controller that intercepts SSL traffic, decrypts the traffic, and forwards it to a web server. In SSL offloading, importing a valid certificate and key and binding them to the web server are important to ensure correct exchange of unencrypted traffic.

What is SSL Offloading in a Load Balancer?

SSL offloading on a load balancer is now a required capability and these load balancers also referred to as SSL load balancer. This is a load balancer that has the ability to encrypt and decrypt data transported via HTTPS, which uses the SSL protocol to secure data across the network.

Does Avi Offer SSL Offloading?

Yes, Avi provides SSL offloading of encrypted traffic that uses RSA 2K keys as well as those that use ECC keys. Avi delivers high performance for SSL offloading, as well as a number of enterprise-grade features to help understand the health of SSL traffic including alerting on incorrect versions and to troubleshoot SSL-related issues.

For more on the actual implementation of load balancing, security applications and web application firewalls check out our Application Delivery How-To Videos.

For more information on ssl offloading see the following resources: