From owner-freebsd-current@freebsd.org Tue Mar 16 23:46:31 2021 Return-Path: Delivered-To: freebsd-current@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id CFA1B5721A1 for ; Tue, 16 Mar 2021 23:46:31 +0000 (UTC) (envelope-from rmacklem@uoguelph.ca) Received: from CAN01-QB1-obe.outbound.protection.outlook.com (mail-qb1can01on0617.outbound.protection.outlook.com [IPv6:2a01:111:f400:fe5c::617]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mail.protection.outlook.com", Issuer "DigiCert Cloud Services CA-1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4F0VLG6H2Tz3rfL for ; Tue, 16 Mar 2021 23:46:30 +0000 (UTC) (envelope-from rmacklem@uoguelph.ca) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=k4jOTJiGOBBvUDThL/p85M3fok40KQ7QYDUvxlLlCHAF4Us0s5XKuRInb0UlcX2txcYkfG//KrJeuRGNms2dhx9Jr/sKAxaaiHpIMxhoZBD8wiQmAF69vEB0lA3iIKRnIheZworF5BQNRvjiMNBdoXI1z8Ww/5Ad38wGfpG5YJ8ImmKFC4PATSO3K9fgAsNKc8kSGowxMwn+jWwb8j7QANwfX50Gcipybtn2p8j0NzT+s3f2bwZ+i9J69eknNhqOW8QLeMHxY9SXdNyF1iR3dc5eSPwPzM0kR3RdQou1ivAgUHsdDw26dd/7RCdxdCzvuKpTyue6o4TcnRV2xIPtEQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=CvA/tXQ7pqSUx8MySLJPfrm2Kx+5G8FwcS+LsZPY/r8=; b=Eb12PvBraQQFyTByBb7ZznX3AaY7lQI/6fQe3ZuxLagGdU1mU3SYdwRhf0rJz6EGOYS3LPVps7ZW8aUeA1FvSFadBL5AkuSkmJebdWNBmzt2M+PJloDXvu1q9rKOM0ZFDFsvo8LLlwsiA3Djif1m1EgK6tlQ6dAyc30qvgKludmKyeO1yowy26WvUg6atXBu8pfHK8xuhiVJYBahZ/gs4fiDQjOU5bM6e5kKvpocIl8flLZ0t9EynD8a06haLvqb0W6d2l0azWR7NP2YXKpSO3kvTJteWC2p0fTVJQ8VMAVFS9YolS2DreRj2Z4P18Q4jt9V1+0nxcbMNGpX7gl1AA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=uoguelph.ca; dmarc=pass action=none header.from=uoguelph.ca; dkim=pass header.d=uoguelph.ca; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=uoguelph.ca; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=CvA/tXQ7pqSUx8MySLJPfrm2Kx+5G8FwcS+LsZPY/r8=; b=XRl9r/kVSNTRLukiTNhauBvrLAGKyhRvCxeRanor/bTpnQNJJgQkBH+adkOaoyjP9drgi0TQoUl/h0FspRQtkWTxdZ8FiiB+Jr3sWBjdvhZDsYep9hn1RzCjsxEkqraL42FuRMLovwfsL8UVZl73qO01Nqf9L78qA0RUBLH9RmRIPiZaAw6vM+6gJZLuYUC+8TFVoZw405VauWwTm59y/bcdrx0mPFV6cZLwWGD6yB/s1daeGY81bCXWXURqRzdmrbaz7MkrJllZU7hlfqi9kVGRDaFwSO5fWNafp3giSkkloS+H8ckCLv2BhtOXQEet8VFfGjPay325WYa4Q/u/Ag== Received: from YQXPR0101MB0968.CANPRD01.PROD.OUTLOOK.COM (2603:10b6:c00:19::29) by YQBPR0101MB1059.CANPRD01.PROD.OUTLOOK.COM (2603:10b6:c00:12::31) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3933.32; Tue, 16 Mar 2021 23:46:28 +0000 Received: from YQXPR0101MB0968.CANPRD01.PROD.OUTLOOK.COM ([fe80::6073:6fc0:5ddf:dc8a]) by YQXPR0101MB0968.CANPRD01.PROD.OUTLOOK.COM ([fe80::6073:6fc0:5ddf:dc8a%7]) with mapi id 15.20.3933.032; Tue, 16 Mar 2021 23:46:28 +0000 From: Rick Macklem To: tech-lists , "freebsd-current@freebsd.org" Subject: Re: Getting started with ktls Thread-Topic: Getting started with ktls Thread-Index: AQHXFgwYWcBrnpJjzEOOvEeMKEi/Wap977EAgAAM4QCAACDHgIAACzeAgADCPHuABK2jgIAAEB+AgABQrWyAAvVQAIAAYG6T Date: Tue, 16 Mar 2021 23:46:27 +0000 Message-ID: References: <20210311003136.GM56617@kduck.mit.edu> <20210311031501.GP56617@kduck.mit.edu> , In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: 21e7d6bb-2fb6-4387-fb09-08d8e8d5b7ad x-ms-traffictypediagnostic: YQBPR0101MB1059: x-microsoft-antispam-prvs: x-ms-oob-tlc-oobclassifiers: OLM:9508; x-ms-exchange-senderadcheck: 1 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: cYsiNQW040q1pIDWnrSDx8lJGQ9BSRgZP/LIlJK8sSBuiE2JlYycu2OaWbh2T+aLlo3eYmZfEj/zIDDrm4U4znKGfvotACPnrJpiB38uTe/v7vBs6ZOcWOK3tH3Vui9czDKlclkDRZswzoobvd0R+J0Pwuzk9wKCX+kFYBLCGV9hDQ3nIE6oNcGxoh6hIzBrS+iEvfQ30NsGFPUf2e9PQNSL3e1p6lltFoLAv3Hp/Y5rUToyBmOKntguV0TPG4mnrQFSLRUzrGDhASWPO/9BCdb40yCg4L20HiPPY+I3hdCm00duBc25NBYcX4/Aof8vW+d0BVHMXTir5OCrpcruK+y3M0MaKIHCBeKvs3WM4fCtRbztJoj/JBvX/tQ+M8o2FA6fiFUu3WV4l5i8vAlOYPCNQ2tkct1AZAQC/Ddj1nvLoucCyP+6gAmruc+EPNNwcOS3pHJZdNA5yKvDq7FhxNTPGSMUhmGXp8oqlrnzdwETdWW8VQ4QvQApDVocUaQsxg6v/o+o4J4l8YeEJSTcYpO0xzdpKgIB4Ouj7SNvpQC6nFDlSDhhdFO9Qd4F9+vF x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:YQXPR0101MB0968.CANPRD01.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(396003)(39860400002)(136003)(346002)(376002)(366004)(786003)(316002)(71200400001)(3480700007)(66946007)(478600001)(91956017)(2906002)(5660300002)(110136005)(86362001)(66476007)(186003)(52536014)(9686003)(7696005)(8936002)(8676002)(6506007)(66556008)(55016002)(33656002)(64756008)(76116006)(83380400001)(66446008); DIR:OUT; SFP:1101; x-ms-exchange-antispam-messagedata: =?iso-8859-1?Q?q4QNWEmRnsgtlL5XFV1wMKdJ8nWGqm3JT1OLufsG4q5c5s/5tNCAYtRZPc?= =?iso-8859-1?Q?2PaLUD8K73wZETiPHedyjx/guegPptHcX0WaEcjuaejhfE415HmmTwxWbB?= =?iso-8859-1?Q?hdFBuCxtzDLdoyKz30eGL7DmnzrocZi0ALcwdo9C9pDjyfzrHv+HUoVHCy?= =?iso-8859-1?Q?Sru8a011kvAUf2t+Jqm+eWXhOiqubw0ZY1xxYMecORMQEL+5+jlbCvKkE5?= =?iso-8859-1?Q?90k8+wsiYMWWn/+TCOAyy9LzWe9GGbq8jw2D6kf2j1MjyadrC2H2hlJcxK?= =?iso-8859-1?Q?JerdhJupLwK5lT0QfK0mBKntBX8z0I/XoMjA3VN/EnaFzdu/kSoCpGczmN?= =?iso-8859-1?Q?VYzcXAjezaA+VK0awI4Ko8OAjQt3BbPo4l5mwNV4l4pnguYEn0OgzXu1ng?= =?iso-8859-1?Q?oU5t/FCB9BXUKoGmJOm4KakOd+uoCc446sLwhymtz3P9KNpAm/239+UAJY?= =?iso-8859-1?Q?bMY6jE17CCWNjxWXRlhtWszoxKt8Los++mQ7aXNOVIbgqJbYbq6muirDcq?= =?iso-8859-1?Q?HGweJzF44NP6jw0e7ko8Ldjb8bxb1pWDM9Fg61FZKKCvBKWm4RVMNSxqn2?= =?iso-8859-1?Q?i4y6rCXpWf1Thn5UP/FikZBNxCkgDT3v4BwA2K0/tbH9OSL5WW8x2Usc7Z?= =?iso-8859-1?Q?8D1fwSa++C+wE18RkLkCzuzT7xcC0DaCt65OJgbMZDojOHXGSCRSKUEs4e?= =?iso-8859-1?Q?iPn0WaSm/WVqkikkR3/PNEesl6wRQfKn5ZFwYSjd65HEZ9009raT3pPvUp?= =?iso-8859-1?Q?VQWkQLdd6n0AE6O+4qXVZXVXEkBOb4tffefFInZp92vC/3MG9pQ4ZbNT0K?= =?iso-8859-1?Q?9wZKBR0ti5rdWUb5zLt/4LL5Jly5QJg17P7iZuAaKD16oUJFX3LC2zQ9W3?= =?iso-8859-1?Q?X6Jy7pTl5zXW/57Ocb71l8NARpq41aFATkmcvOFsWn/wMfE22kntxGSgrL?= =?iso-8859-1?Q?ynLk12kI2tQPQMNtDH8jrLCOIkJTP9FOK0AlK3S8HhKFqgCw51YYJUryPg?= =?iso-8859-1?Q?XUQSBx378Ef2FXMlrShCVrBSaNRUz3c2C4W4FoNbbG+EprtchU2bwPsw52?= =?iso-8859-1?Q?QNhNmawijLAnUZfzViqC8GJL8bzDwlguhGZhfQzeuuSk3bmGfaqPYXD4tu?= =?iso-8859-1?Q?eyTvX0+aa7DwaJWaHxKG6+SDtE7o9KIdQ9336Sb104mjkl8SsraodVWBUV?= =?iso-8859-1?Q?xk3TcX5xKl6HjPHzkUILEnMZlFxS/Ldc/yqxMgz608wvBCR7QYhJ4DnnDK?= =?iso-8859-1?Q?lzN2GR2p6tjggWx2yAIX/xbWEZ14m5HQc+Uej/bB5s1knvFNSY4YOgofVP?= =?iso-8859-1?Q?ymqTTzvsH+WpCxqchPJ0wb/kJl9mBKdQc80ZUXCV+9SvECAn4LHSxoqvay?= =?iso-8859-1?Q?g5JTtzN1qR8KgwI4UcI0YHtdoo4oLP3EQw39q76eVVn2g3ohGjO5o=3D?= x-ms-exchange-transport-forked: True Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-OriginatorOrg: uoguelph.ca X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: YQXPR0101MB0968.CANPRD01.PROD.OUTLOOK.COM X-MS-Exchange-CrossTenant-Network-Message-Id: 21e7d6bb-2fb6-4387-fb09-08d8e8d5b7ad X-MS-Exchange-CrossTenant-originalarrivaltime: 16 Mar 2021 23:46:27.9016 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: be62a12b-2cad-49a1-a5fa-85f4f3156a7d X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: 691IgPqBhLR82+I2/rOzfmDxt4pfsdBaiZIaDF+pNh9ebW+i4um31INhWFioOU2IgbaJV8JYp6Qmx2j/5Yavjw== X-MS-Exchange-Transport-CrossTenantHeadersStamped: YQBPR0101MB1059 X-Rspamd-Queue-Id: 4F0VLG6H2Tz3rfL X-Spamd-Bar: ---- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=uoguelph.ca header.s=selector1 header.b=XRl9r/kV; arc=pass (microsoft.com:s=arcselector9901:i=1); dmarc=pass (policy=none) header.from=uoguelph.ca; spf=pass (mx1.freebsd.org: domain of rmacklem@uoguelph.ca designates 2a01:111:f400:fe5c::617 as permitted sender) smtp.mailfrom=rmacklem@uoguelph.ca X-Spamd-Result: default: False [-4.56 / 15.00]; TO_DN_EQ_ADDR_SOME(0.00)[]; RBL_DBL_DONT_QUERY_IPS(0.00)[2a01:111:f400:fe5c::617:from]; R_DKIM_ALLOW(-0.20)[uoguelph.ca:s=selector1]; FREEFALL_USER(0.00)[rmacklem]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; R_SPF_ALLOW(-0.20)[+ip6:2a01:111:f400::/48]; NEURAL_HAM_LONG(-1.00)[-1.000]; MIME_GOOD(-0.10)[text/plain]; NEURAL_SPAM_SHORT(0.44)[0.444]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; SPAMHAUS_ZRD(0.00)[2a01:111:f400:fe5c::617:from:127.0.2.255]; RCVD_COUNT_THREE(0.00)[3]; TO_MATCH_ENVRCPT_SOME(0.00)[]; DWL_DNSWL_LOW(-1.00)[uoguelph.ca:dkim]; DKIM_TRACE(0.00)[uoguelph.ca:+]; RCPT_COUNT_TWO(0.00)[2]; DMARC_POLICY_ALLOW(-0.50)[uoguelph.ca,none]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; RCVD_TLS_LAST(0.00)[]; ASN(0.00)[asn:8075, ipnet:2a01:111:f000::/36, country:US]; ARC_ALLOW(-1.00)[microsoft.com:s=arcselector9901:i=1]; MAILMAN_DEST(0.00)[freebsd-current] X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 16 Mar 2021 23:46:31 -0000 J. wrote:=0A= >On Sun, Mar 14, 2021 at 08:55:18PM +0000, Rick Macklem wrote:=0A= >>Alan explains how to set it up, below.=0A= >>However, I thought I'd note that maybe one person has tested KTLS=0A= >>on arm64, so you should consider doing this for test purposes only.=0A= >>If you do do some testing, please post with your results,=0A= >>success or failure.=0A= >>=0A= >>>It's present in current kernels for both 13 and 14, amd64 and aarch64.= =0A= >>>However, it's not present in 13's openssl. To use it, you must either= =0A= >>>rebuild world with WITH_OPENSSL_KTLS=3DYES in /etc/src.conf,=0A= >=0A= >>Doing it this way means that everything linked to OpenSSL will use=0A= >>it. Probably a better testsituation, but expect at least the apache=0A= >>server to break. (Most breakage was fixed by a recent patch to the=0A= >>serf library, but I think the apache server is still broken.=0A= >=0A= >OK, it's been built and all ports recompiled and reinstalled. Things=0A= >that use openssl on this machine are mutt (imaps) lynx (https) and=0A= >nginx (https) and py-certbot. They all seem to work. How would I test?=0A= Well, if you do "sysctl -a | fgrep kern.ipc.tls.stats" and it is working,= =0A= you should see the count for at least one of the "crypts" ticking up.=0A= If they are all zero, it isn't working. That might depend on the apps=0A= or setup and does not necessarily indicate broken.=0A= =0A= Trying the nfs-over-tls should definitely test it. When it works, the=0A= data on the wire after the first couple of Null RPCs is encrypted.=0A= Also, if you start the daemons with "-v", then it will log how the=0A= handshake etc. goes in /var/log/daemon.log.=0A= =0A= rick=0A= =0A= thanks,=0A= --=0A= J.=0A=