[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: When should we https our mirrors?

 ❦ 17 octobre 2016 17:39 +0200, Cyril Brulebois <kibi@debian.org> :

> AFAICT from a recent https deployment, apt will perform a TLS handshake
> for each and every file it downloads from the mirror; including indices,
> translations, pdiffs, and finally debian packages.
> Either I've blatantly failed at noting what happened there (which is
> entirely possible since I was limited in time), or this HTTPS everywhere
> suggestion would lead to huge wastes in resources if apt doesn't get
> fixed.

There are tickets (RFC 5077) to avoid this. It's easy to implement as
long as the same process is used for all requests. This is automatic
with OpenSSL. With GNU TLS, I don't think this is automatic but this is
just a matter of calling gnutls_session_ticket_enable_client() on the

Most servers will support that out of the box. I have tools to check
that here (but they may not work with the API change in OpenSSL):
Let the machine do the dirty work.
            - The Elements of Programming Style (Kernighan & Plauger)

Attachment: signature.asc
Description: PGP signature

Reply to: