❦ 17 octobre 2016 17:39 +0200, Cyril Brulebois <k...@debian.org> :
> AFAICT from a recent https deployment, apt will perform a TLS handshake > for each and every file it downloads from the mirror; including indices, > translations, pdiffs, and finally debian packages. > > Either I've blatantly failed at noting what happened there (which is > entirely possible since I was limited in time), or this HTTPS everywhere > suggestion would lead to huge wastes in resources if apt doesn't get > fixed. There are tickets (RFC 5077) to avoid this. It's easy to implement as long as the same process is used for all requests. This is automatic with OpenSSL. With GNU TLS, I don't think this is automatic but this is just a matter of calling gnutls_session_ticket_enable_client() on the session. Most servers will support that out of the box. I have tools to check that here (but they may not work with the API change in OpenSSL): https://github.com/vincentbernat/rfc5077 -- Let the machine do the dirty work. - The Elements of Programming Style (Kernighan & Plauger)
signature.asc
Description: PGP signature