Marco d'Itri wrote:
> On Oct 15, Dimitri John Ledkov <> wrote:
> > I believe the TLS overhead costs are negligible, especially if one
> This is not about the TLS overhead: the real issue is not being able to
> use sendfile(2).

If you really want to use sendfile (or splice or vmsplice) for your TLS
connections, see AF_ALG and .

However, I seriously doubt that any Debian mirror will become CPU-bound
doing TLS before it saturates available network or disk bandwidth.

> > uses ECC keys. The further privacy it buys one, is IMHO, well worth
> > the effort. I would be in favor of Debian mirrors to auto-enroll into
> > letsencrypt certs.
> This would fail spectacularly due to the per-domain rate limiting
> imposed by LE.

Let's Encrypt has a process to request lifting that rate limit, and I
imagine they'd have no problem doing so for subdomains.

Reply via email to