Re: When should we https our mirrors?
Marco d'Itri wrote:
> On Oct 15, Dimitri John Ledkov <firstname.lastname@example.org> wrote:
> > I believe the TLS overhead costs are negligible, especially if one
> This is not about the TLS overhead: the real issue is not being able to
> use sendfile(2).
If you really want to use sendfile (or splice or vmsplice) for your TLS
connections, see AF_ALG and https://lwn.net/Articles/666509/ .
However, I seriously doubt that any Debian mirror will become CPU-bound
doing TLS before it saturates available network or disk bandwidth.
> > uses ECC keys. The further privacy it buys one, is IMHO, well worth
> > the effort. I would be in favor of Debian mirrors to auto-enroll into
> > letsencrypt certs.
> This would fail spectacularly due to the per-domain rate limiting
> imposed by LE.
Let's Encrypt has a process to request lifting that rate limit, and I
imagine they'd have no problem doing so for debian.org subdomains.