doughnuts on a fish hook
Paul Gear
paul at gear.dyndns.org
Wed Aug 27 22:24:54 UTC 2003
Magnus wrote:
>
> On Wednesday, August 27, 2003, at 08:47 AM, Paul Gear wrote:
>
>> Better than Daniel's recent suggestion, IMHO is the useNoSSLForPackages
>> option. Point all of your servers at the same squid proxy, turn on the
>> use no SSL option, and all is well.
>>
>> On that note, there's no good reason for packages to be downloaded via
>> SSL, since they're all GPG signed anyway. Can we have
>> useNoSSLForPackages=1 made the default in the next version of RHL?
>
>
> Well except that you're passing authentication data in the clear.
What authentication data? All of the account stuff goes across https as
normal - the No SSL is only used for the packages themselves. Here's a
squid log of my most recent 'up2date -l' followed by 'up2date -u':
1062022929.581 1808 hostname TCP_MISS/200 3032 CONNECT
xmlrpc.rhn.redhat.com:443 - DIRECT/66.187.232.101 -
1062022938.799 347 hostname TCP_MISS/200 24112 GET
http://xmlrpc.rhn.redhat.com/XMLRPC/$RHN/redhat-linux-i386-9/listPackages/20030826081636
- DIRECT/66.187.232.101 application/binary
1062022939.710 159 hostname TCP_MISS/200 8027 GET
http://xmlrpc.rhn.redhat.com/XMLRPC/$RHN/redhat-linux-i386-9/getObsoletes/20030826081636
- DIRECT/66.187.232.101 application/binary
1062022940.395 202 hostname TCP_MISS/200 4524 GET
http://xmlrpc.rhn.redhat.com/XMLRPC/$RHN/redhat-linux-i386-9/getPackageHeader/pam_smb-1.1.6-9.9.i386.hdr
- DIRECT/66.187.232.101 application/octet-stream
...
1062022961.126 1399 hostname TCP_MISS/200 3032 CONNECT
xmlrpc.rhn.redhat.com:443 - DIRECT/66.187.232.101 -
1062022992.711 4751 hostname TCP_MISS/200 162298 GET
http://xmlrpc.rhn.redhat.com/XMLRPC/$RHN/redhat-linux-i386-9/getPackage/cdda2wav-2.0-11.9.1.i386.rpm
- DIRECT/66.187.232.101 application/octet-stream
1062023001.233 8241 hostname TCP_MISS/200 395911 GET
http://xmlrpc.rhn.redhat.com/XMLRPC/$RHN/redhat-linux-i386-9/getPackage/cdrecord-2.0-11.9.1.i386.rpm
- DIRECT/66.187.232.101 application/octet-stream
Nothing critical there in my book...
--
Paul
http://paulgear.webhop.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/fedora-list/attachments/20030828/f1942db2/attachment-0001.sig>
More information about the fedora-list
mailing list