Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 10 Aug 2021 21:19:23 GMT
From:      John Baldwin <jhb@FreeBSD.org>
To:        src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org
Subject:   git: c7bb0f47f721 - main - nfs tls: Update for SSL_OP_ENABLE_KTLS.
Message-ID:  <202108102119.17ALJNwu006729@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help 
The branch main has been updated by jhb:

URL: https://cgit.FreeBSD.org/src/commit/?id=c7bb0f47f721a2095ed6100bca595ba68fa5645a

commit c7bb0f47f721a2095ed6100bca595ba68fa5645a
Author:     John Baldwin <jhb@FreeBSD.org>
AuthorDate: 2021-08-10 21:18:43 +0000
Commit:     John Baldwin <jhb@FreeBSD.org>
CommitDate: 2021-08-10 21:18:43 +0000

    nfs tls: Update for SSL_OP_ENABLE_KTLS.
    
    Upstream OpenSSL (and the KTLS backport) have switched to an opt-in
    option (SSL_OP_ENABLE_KTLS) in place of opt-out modes
    (SSL_MODE_NO_KTLS_TX and SSL_MODE_NO_KTLS_RX) for controlling kernel
    TLS.
    
    Reviewed by:    rmacklem
    Sponsored by:   Netflix
    MFC after:      2 weeks
    Differential Revision:  https://reviews.freebsd.org/D31445
---
 usr.sbin/rpc.tlsclntd/rpc.tlsclntd.c | 5 +++++
 usr.sbin/rpc.tlsservd/rpc.tlsservd.c | 5 +++++
 2 files changed, 10 insertions(+)

diff --git a/usr.sbin/rpc.tlsclntd/rpc.tlsclntd.c b/usr.sbin/rpc.tlsclntd/rpc.tlsclntd.c
index af803f203ffd..5e66f4b4b2dd 100644
--- a/usr.sbin/rpc.tlsclntd/rpc.tlsclntd.c
+++ b/usr.sbin/rpc.tlsclntd/rpc.tlsclntd.c
@@ -573,9 +573,14 @@ rpctls_setupcl_ssl(void)
 	    SSL_OP_NO_TLSv1_1 | SSL_OP_NO_TLSv1_2;
 #else
 	flags = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1_3;
+#endif
+#ifdef SSL_OP_ENABLE_KTLS
+	flags |= SSL_OP_ENABLE_KTLS;
 #endif
 	SSL_CTX_set_options(ctx, flags);
+#ifdef SSL_MODE_NO_KTLS_TX
 	SSL_CTX_clear_mode(ctx, SSL_MODE_NO_KTLS_TX | SSL_MODE_NO_KTLS_RX);
+#endif
 	return (ctx);
 }
 
diff --git a/usr.sbin/rpc.tlsservd/rpc.tlsservd.c b/usr.sbin/rpc.tlsservd/rpc.tlsservd.c
index 1c7687cad87a..71787b162acd 100644
--- a/usr.sbin/rpc.tlsservd/rpc.tlsservd.c
+++ b/usr.sbin/rpc.tlsservd/rpc.tlsservd.c
@@ -636,7 +636,12 @@ rpctls_setup_ssl(const char *certdir)
 		SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER,
 		    rpctls_verify_callback);
 	}
+#ifdef SSL_OP_ENABLE_KTLS
+	SSL_CTX_set_options(ctx, SSL_OP_ENABLE_KTLS);
+#endif
+#ifdef SSL_MODE_NO_KTLS_TX
 	SSL_CTX_clear_mode(ctx, SSL_MODE_NO_KTLS_TX | SSL_MODE_NO_KTLS_RX);
+#endif
 	return (ctx);
 }

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202108102119.17ALJNwu006729>