Marco d'Itri wrote: > On Oct 15, Dimitri John Ledkov <x...@debian.org> wrote: > > I believe the TLS overhead costs are negligible, especially if one > This is not about the TLS overhead: the real issue is not being able to > use sendfile(2).
If you really want to use sendfile (or splice or vmsplice) for your TLS connections, see AF_ALG and https://lwn.net/Articles/666509/ . However, I seriously doubt that any Debian mirror will become CPU-bound doing TLS before it saturates available network or disk bandwidth. > > uses ECC keys. The further privacy it buys one, is IMHO, well worth > > the effort. I would be in favor of Debian mirrors to auto-enroll into > > letsencrypt certs. > This would fail spectacularly due to the per-domain rate limiting > imposed by LE. Let's Encrypt has a process to request lifting that rate limit, and I imagine they'd have no problem doing so for debian.org subdomains.