Date: Wed, 17 Mar 2021 20:39:02 +0000 From: Rick Macklem <rmacklem@uoguelph.ca> To: tech-lists <tech-lists@zyxst.net>, "freebsd-current@freebsd.org" <freebsd-current@freebsd.org> Subject: Re: Getting started with ktls Message-ID: <YQXPR0101MB0968A8E04CA4D6C4BBB06B37DD6A9@YQXPR0101MB0968.CANPRD01.PROD.OUTLOOK.COM> In-Reply-To: <YFIp9KEVlSFgQyYp@ceres.zyxst.net> References: <20210311003136.GM56617@kduck.mit.edu> <CAOtMX2iKtBAQWRzY1K9twAFrtdH=S559J6Zd%2Bm5D-YHHPVYf7g@mail.gmail.com> <20210311031501.GP56617@kduck.mit.edu> <CAOtMX2hApCJuTe8OqEJmjrj9vffLB%2BM%2Bc5qR=iPrhRnbeZf=jQ@mail.gmail.com> <YQXPR0101MB096899D3D2241D0D6D830227DD909@YQXPR0101MB0968.CANPRD01.PROD.OUTLOOK.COM> <YE4kM3euujJw9saZ@ceres.zyxst.net> <CAOtMX2gNMw2%2BYcKT9cY35SqASmnvMMH9GDK66VjQvhA85Rj_kQ@mail.gmail.com> <YQXPR0101MB0968DA8912890879ECB7C35BDD6D9@YQXPR0101MB0968.CANPRD01.PROD.OUTLOOK.COM> <YFDwrtagYb8xllVp@ceres.zyxst.net> <YQXPR0101MB096806853D2F666D892B983BDD6B9@YQXPR0101MB0968.CANPRD01.PROD.OUTLOOK.COM>, <YFIp9KEVlSFgQyYp@ceres.zyxst.net>
next in thread | previous in thread | raw e-mail | index | archive | help
J. wrote:=0A= >On Tue, Mar 16, 2021 at 11:46:27PM +0000, Rick Macklem wrote:=0A= >>Well, if you do "sysctl -a | fgrep kern.ipc.tls.stats" and it is working,= =0A= >>you should see the count for at least one of the "crypts" ticking up.=0A= >>If they are all zero, it isn't working. That might depend on the apps=0A= >>or setup and does not necessarily indicate broken.=0A= >=0A= >OK. it's "not working" by those criteria on the stable/13 rpi4.=0A= >This one has mutt (imaps) and lynx (https) installed. mutt appears to=0A= >use tlsv1.3 to connect with my email provider.=0A= I know that the receive direction only works for TLS1.2. Not sure=0A= about the xmit direction?=0A= =0A= Make sure you've done the following:=0A= ktls_ocf - is loaded=0A= these sysctls are set to 1=0A= kern.ipc.tls.enable=0A= kern.ipc.mb_use_ext_pgs=0A= =0A= Beyond that, it will take someone more knowledgible to figure=0A= out if it can work for these apps?=0A= (To be honest, for userspace applications I'm not sure there is=0A= any advantage to using KTLS unless you have specialized=0A= hardware.=0A= =0A= rick=0A= =0A= >Trying the nfs-over-tls should definitely test it. When it works, the=0A= >data on the wire after the first couple of Null RPCs is encrypted.=0A= >Also, if you start the daemons with "-v",=0A= =0A= This is what i'll try once buildworld etc completes on the main/14 rpi4.=0A= --=0A= J.=0A=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?YQXPR0101MB0968A8E04CA4D6C4BBB06B37DD6A9>