[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: When should we https our mirrors?

On 10/17/2016 08:48 PM, Cyril Brulebois wrote:
> Philipp Kern <pkern@debian.org> (2016-10-17):
>> On 10/17/2016 05:39 PM, Cyril Brulebois wrote:
>>> AFAICT from a recent https deployment, apt will perform a TLS handshake
>>> for each and every file it downloads from the mirror; including indices,
>>> translations, pdiffs, and finally debian packages.
>> Last I checked it pipelined within a single TLS connection (well, one
>> per host). A casual Wireshark seems to confirm that.
> Ah. What I saw might have been due to client cert auth then? I guess I
> should revisit this setup when I find more time. There's also Pipeline-
> Depth option's being advertised as not supported for https, too.

We use it with a TPM-backed client certificate, so redoing the handshake
all the time would be quite slow. cURL keeps open connections around in
its handle as created by curl_easy_init().

Kind regards
Philipp Kern

Attachment: signature.asc
Description: OpenPGP digital signature

Reply to: