[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: When should we https our mirrors?

Marco d'Itri wrote:
> On Oct 15, Dimitri John Ledkov <xnox@debian.org> wrote:
> > I believe the TLS overhead costs are negligible, especially if one
> This is not about the TLS overhead: the real issue is not being able to
> use sendfile(2).

If you really want to use sendfile (or splice or vmsplice) for your TLS
connections, see AF_ALG and https://lwn.net/Articles/666509/ .

However, I seriously doubt that any Debian mirror will become CPU-bound
doing TLS before it saturates available network or disk bandwidth.

> > uses ECC keys. The further privacy it buys one, is IMHO, well worth
> > the effort. I would be in favor of Debian mirrors to auto-enroll into
> > letsencrypt certs.
> This would fail spectacularly due to the per-domain rate limiting
> imposed by LE.

Let's Encrypt has a process to request lifting that rate limit, and I
imagine they'd have no problem doing so for debian.org subdomains.

Reply to: