nnrpd rate limits and ssl

Russ Allbery rra at stanford.edu
Mon Jun 4 13:51:48 UTC 2001


Jeffrey M Vinocur <jeff at litech.org> writes:

> At present, if SSL support is compiled in, rate-limiting in nnrpd is
> completely ignored.  Having this as a compile-time thing seems silly;
> cleartext connections could still be limited regardless of whether
> there's SSL support.

> I'm still curious why the above decision was made, though.  Is it just
> that the rate limits wouldn't be accurate because the encrypted
> datastream is wider than the raw data?  (If so...it seems like that
> would still be acceptable, with a warning in the manpage that it's the
> size of the pre-SSL datastream that is limited.)

As I recall, it was a case of parallel development; one person wrote the
SSL code and someone else wrote the rate limiting code and the easiest way
to merge them was to just not apply the rate limiting to the SSL side of
the fence.  It was something vaguely like that at least, and not a
conscious policy decision.

In other words, if you or anyone else wants to make the rate limiting
apply to SSL connections too, that would be great.

-- 
Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>


More information about the inn-workers mailing list