Date: Sun, 24 Jan 2021 21:46:56 -0800 From: Benjamin Kaduk <kaduk@mit.edu> To: Rick Macklem <rmacklem@uoguelph.ca> Cc: Ronald Klop <ronald-lists@klop.ws>, "freebsd-current@freebsd.org" <freebsd-current@freebsd.org> Subject: Re: Can In-Kernel TLS (kTLS) work with any OpenSSL Application? Message-ID: <20210125054656.GR21@kduck.mit.edu> In-Reply-To: <YQXPR0101MB0968D75B9A846C4F91461A7DDDBF0@YQXPR0101MB0968.CANPRD01.PROD.OUTLOOK.COM> References: <bd56c9d3711738d65a074d73c04addd2@freebsd.org> <op.0xoawf2bkndu52@joepie> <YQXPR0101MB0968D75B9A846C4F91461A7DDDBF0@YQXPR0101MB0968.CANPRD01.PROD.OUTLOOK.COM>
index | next in thread | previous in thread | raw e-mail
On Sat, Jan 23, 2021 at 03:25:59PM +0000, Rick Macklem wrote: > Ronald Klop wrote: > >On Wed, 20 Jan 2021 21:21:15 +0100, Neel Chauhan <nc@freebsd.org> wrote: > >But I think for Tor to support KTLS it needs to implement some things > >itself. More information about that could be asked at the maintainer of > >the port (https://www.freshports.org/security/tor/) or upstream at the Tor > >project. > To just make it work, I don't think changes are needed beyond linking to > the correct OpenSSL libraries (assuming it uses OpenSSL, of course). > (There are new library calls an application can use to check to see if > KTLS is enabled for the connection, but if it doesn't care, I don't think > those calls are needed?) > > You do need to run a kernel with "options KERN_TLS" and set > kern.ipc.tls.enable=1 > kern.ipc.mb_use_ext_pgs=1 Note that upstream openssl is expecting to change in what ways ktls is (en/dis)abled by default; see https://github.com/openssl/openssl/issues/13794 -Benhelp
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20210125054656.GR21>