cacert-sysadm AT lists.cacert.org
Subject: CAcert System Admins discussion list
List archive
- From: Philipp Guehring <philipp AT cacert.org>
- To: cacert-sysadm AT lists.cacert.org
- Subject: Re: crl.cacert.org not responding sometimes
- Date: Wed, 23 Oct 2013 01:40:23 +0200
Hi,
Am 2013-10-22 02:11, schrieb Andre Klärner:
> Hi Philipp,
>
>
> I already thought, that someone envisioned something clever like this.
>
> My idea would be to setup crl.cacert.org and www.cacert.org/crl so that
> they 301 reroute to appropriate mirrors, which than can also be two
> files hosted at any willing site.
I guess that some clients might not be happy to be sent around with HTTP
301, some CRL clients are most likely really dumb. I had an OCSP client
that did not support HTTP-Virtualhosts, it just sent a one-line GET
request, which did not work through our Firewall back then (or something
...), so don´ t expect intelligent clients there.
>
> The idea is quite easily copied from http.debian.net created by Raphael
> Geissert. Maybe it would work out build a more minimalistic implementation
> of it's idea for our purpose.
>
> My implementation-design would be to host the two files on a server,
> update them using rsync or wget -N, and on crl.cacert.org check maybe once
> an hour if the delivered file is up to date (analogous wget -N).
You want the download to be complete before you atomically replace the
CRLs, so that any concurrent downloads of the to-be-replaced CRL aren´t
delivering broken CRLs during the update mechanism.
I tried to implement the necessary logic on crl.cacert.org, as far as I
remember.
(Although Linux filesystems do not seem to offer atomic rename
replacements anymore lately, they seem to delete the original first, and
rename the new file aterwards)
And my solution was designed to verify (check the signature) of the CRL
after it has been downloaded from www.cacert.org and before it is
activated and replaces the older one. So broken downloads should be
filtered out that way. (I wanted to implement that, I am not sure at the
moment, whether I actually did it or not)
> Than
> redirect the clients with a 301 to one of the active mirror URLs, while
> trying to distribute the traffic quite evenly.
>
> I for my part would be happy to host a bit (5-10GB) of the crl-traffic on
> my servers.
Yes, that´s what I envisioned, that there would be several possibilities
to get it hosted.
Best regards,
Philipp
- Re: crl.cacert.org not responding sometimes, (continued)
- Re: crl.cacert.org not responding sometimes, Wytze van der Raay, 10/18/2013
- Re: crl.cacert.org not responding sometimes, Andre Klärner, 10/19/2013
- Re: crl.cacert.org not responding sometimes, Wytze van der Raay, 10/21/2013
- Re: crl.cacert.org not responding sometimes, Andre Klärner, 10/23/2013
- Re: crl.cacert.org not responding sometimes, Wytze van der Raay, 10/23/2013
- Re: crl.cacert.org not responding sometimes, Philipp Gühring, 10/23/2013
- Re: crl.cacert.org not responding sometimes, Wytze van der Raay, 10/23/2013
- Re: crl.cacert.org not responding sometimes, Wytze van der Raay, 10/18/2013
- Re: crl.cacert.org not responding sometimes, Andre Klärner, 10/22/2013
- Re: crl.cacert.org not responding sometimes, Jan Dittberner, 10/22/2013
- Re: crl.cacert.org not responding sometimes, Philipp Guehring, 10/22/2013
- Re: crl.cacert.org not responding sometimes, Andre Klärner, 10/23/2013
- Re: crl.cacert.org not responding sometimes, Philipp Gühring, 10/25/2013
- Re: crl.cacert.org not responding sometimes, Wytze van der Raay, 10/25/2013
- Re: crl.cacert.org not responding sometimes, Ian G, 10/29/2013
- Re: crl.cacert.org not responding sometimes, Wytze van der Raay, 10/29/2013
- Re: crl.cacert.org not responding sometimes, Wytze van der Raay, 10/25/2013
- Re: crl.cacert.org not responding sometimes, Philipp Gühring, 10/25/2013
- Re: crl.cacert.org not responding sometimes, Andre Klärner, 10/23/2013
Archive powered by MHonArc 2.6.18.