Re: When should we https our mirrors?

To: debian-devel@lists.debian.org
Subject: Re: When should we https our mirrors?
From: Josh Triplett <josh@joshtriplett.org>
Date: Sat, 15 Oct 2016 17:15:23 -0700
Message-id: <[🔎] 20161016001521.igul3gp3tjnqlj5q@x>
In-reply-to: <[🔎] 20161015223141.3x3ym235gpxr5au6@bongo.bofh.it>

Marco d'Itri wrote:
> On Oct 15, Dimitri John Ledkov <xnox@debian.org> wrote:
> > I believe the TLS overhead costs are negligible, especially if one
> This is not about the TLS overhead: the real issue is not being able to
> use sendfile(2).

If you really want to use sendfile (or splice or vmsplice) for your TLS
connections, see AF_ALG and https://lwn.net/Articles/666509/ .

However, I seriously doubt that any Debian mirror will become CPU-bound
doing TLS before it saturates available network or disk bandwidth.

> > uses ECC keys. The further privacy it buys one, is IMHO, well worth
> > the effort. I would be in favor of Debian mirrors to auto-enroll into
> > letsencrypt certs.
> This would fail spectacularly due to the per-domain rate limiting
> imposed by LE.

Let's Encrypt has a process to request lifting that rate limit, and I
imagine they'd have no problem doing so for debian.org subdomains.

Reply to:

References:
- Re: When should we https our mirrors?
  - From: md@Linux.IT (Marco d'Itri)

Prev by Date: requiring vhosts (was: Re: When should we https our mirrors?)
Next by Date: Re: uscan download from sourceforge doesn't download what you expect!
Previous by thread: Re: When should we https our mirrors?
Next by thread: Re: When should we https our mirrors?
Index(es):
- Date
- Thread