From owner-freebsd-current@freebsd.org Wed Mar 17 20:39:05 2021 Return-Path: Delivered-To: freebsd-current@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id BEF49578631 for ; Wed, 17 Mar 2021 20:39:05 +0000 (UTC) (envelope-from rmacklem@uoguelph.ca) Received: from CAN01-QB1-obe.outbound.protection.outlook.com (mail-eopbgr660076.outbound.protection.outlook.com [40.107.66.76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mail.protection.outlook.com", Issuer "DigiCert Cloud Services CA-1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4F127X5Kjjz3JSg for ; Wed, 17 Mar 2021 20:39:04 +0000 (UTC) (envelope-from rmacklem@uoguelph.ca) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=RCJzAMAbmsx8cutZbkWU6+YoCMhw0K7FpQpXPrFQGhpe8SCQR7cdYmVyfkiIXM5535mwb4j5TwMNCLCIDv0ggtSQw5p5ZCI03dfoOVxOtBssNO+mRTpUVbw3xSXMeRYsNYOxvd8mYtfdJwvi3aJD8QLB0uFh0K+Z/CMuBfisqpDby6lRBaPZi544WZWraHlDOMzmKQXeyQLluW+JVmERVHCjtX6hgVvMjc/UAgte2t11zwh7GANKhrgEdbRW9ELkcrmemI5x8CHz9/R/IotJokx2v8PD+k3I/hna+uy+ig6XIMEAcRWeMvhC7u3n7/OL+Y9P+3qVhlfKD3noqgtapQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=+yaapj+S4aUsuinMmwaBBQ02T9MlizK/PGO0wwDgxZI=; b=XnWmYYhzY89fV4IToakXRqdKpjTZx7IMBelfBBAkGqsZocc6spPN7pIc43P6L26wK17QqnG98vgLG78FKS+3N/1lX8FL9FpJQ37l3ZPSg2XvwS1qkNY4VaANSQdyFGF2/ROQzTPzFdEhUR6Ube8pWhzyoY3LRKbXrJ7oOQYZtdQnDnUBQfCpVuPbdKkPqQ3nVfHOjl7j51GoNYMCrMEmahLnyxDctzl6RvmXMNc8fkKGlaKef7X3EJksu2EwC3Tsb+/1IEjEI/6gKQHL5qwIO1cOZyWsPCinVLO3OvSRAnrIM7S4HVdAfSVi3MqoUBCJWaUX0QU64rxcsth5thm7MQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=uoguelph.ca; dmarc=pass action=none header.from=uoguelph.ca; dkim=pass header.d=uoguelph.ca; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=uoguelph.ca; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=+yaapj+S4aUsuinMmwaBBQ02T9MlizK/PGO0wwDgxZI=; b=artOlYfrvDSkN83ZMf5plCjUshYMf5uGtKRgB+yNBIPRO7B+jgE0fJs+5tgC8gwF+vSOPQ7lZBXjaEuqAgI/yzlbU1pUT/FLK2s3d44w/yK1l8G/r1T1dRy2XpmqNvKTi2LUbDmir+IugOgWVRSo3oY7WhY5U1tyJjbexYM76573B8gYwDcgLShl4nMmt02fErZKio470aS9grbdtsrQfn5Sm37kT5PuF6RO/gEqzUmDemYiNRtdaEUyYtrjv5f86vIJ20ANz6AtLZbVlr/pTHKGaiYD6e4r5uUrOwQjEW2yEHvP8bZbUAdelH/R/RPEIfuwdOuFLayIU9a1x5e7wQ== Received: from YQXPR0101MB0968.CANPRD01.PROD.OUTLOOK.COM (2603:10b6:c00:19::29) by YQXPR0101MB0741.CANPRD01.PROD.OUTLOOK.COM (2603:10b6:c00:17::18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3890.28; Wed, 17 Mar 2021 20:39:02 +0000 Received: from YQXPR0101MB0968.CANPRD01.PROD.OUTLOOK.COM ([fe80::6073:6fc0:5ddf:dc8a]) by YQXPR0101MB0968.CANPRD01.PROD.OUTLOOK.COM ([fe80::6073:6fc0:5ddf:dc8a%7]) with mapi id 15.20.3933.032; Wed, 17 Mar 2021 20:39:02 +0000 From: Rick Macklem To: tech-lists , "freebsd-current@freebsd.org" Subject: Re: Getting started with ktls Thread-Topic: Getting started with ktls Thread-Index: AQHXFgwYWcBrnpJjzEOOvEeMKEi/Wap977EAgAAM4QCAACDHgIAACzeAgADCPHuABK2jgIAAEB+AgABQrWyAAvVQAIAAYG6TgAEVBgCAAEi+8A== Date: Wed, 17 Mar 2021 20:39:02 +0000 Message-ID: References: <20210311003136.GM56617@kduck.mit.edu> <20210311031501.GP56617@kduck.mit.edu> , In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: 2a96046f-557a-4fa2-b58e-08d8e984b30a x-ms-traffictypediagnostic: YQXPR0101MB0741: x-microsoft-antispam-prvs: x-ms-oob-tlc-oobclassifiers: OLM:8882; x-ms-exchange-senderadcheck: 1 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: hm1zRbrZskM4/q1Fk0R8Hkdl2XR11FgLFcKZU8Rgf9V2maRVLpg4k/NC7+BiKJUZ/3m1yV/eSQRXKvMfURKh9L2jXqP1KAL/oWJtpChIkacYf2lQXjc/2FvPdy+LglemNem5GkFOyvRlxaBQLc3Ex68Mn4Qfbfs5OZkH0GDzkHKrY4Ucq66bHRe2k9HItEMitOrQnQBG4KOvn1TvGiZC53TSDurZKOpwXOMAVlbho1WAMRilUfydCcjjoV79qL7EMFn+ObbffF+tTXjIk2xT29D6Do09nLhspQ/J/evT7JMbgG9C0LObLf8/j/sMdMIRSdEwYsD+FAFY0zApvO35p6LfBrSW2K95u7uWI20dzqPvKjYANI31z456x7ZXUF4Mph3f7Q8bIR9DEV9ym4vhSJXlmOLkO8Lq/F5OA7Oq4MaCdgYocABlZWnES+VP77WNApTDRJwHtUhpwmbogVnkrbtfGFXJdrxKG3TtLvJa/xEJvjjECPV8HxUuY9nq/PDWz7f5zF91mF17NY2wgCOcWw== x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:YQXPR0101MB0968.CANPRD01.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(39860400002)(346002)(396003)(366004)(136003)(376002)(83380400001)(66556008)(110136005)(316002)(71200400001)(66476007)(8936002)(186003)(478600001)(66946007)(9686003)(786003)(6506007)(91956017)(66446008)(33656002)(7696005)(64756008)(2906002)(52536014)(5660300002)(3480700007)(8676002)(86362001)(76116006)(55016002); DIR:OUT; SFP:1101; x-ms-exchange-antispam-messagedata: =?iso-8859-1?Q?gn+9towKxMPFmpU3CoRs8D7iSuNIbC4zkttgVTPiHYguCVUWw/Yh0xDoSs?= =?iso-8859-1?Q?eihAkIJEl/aU/MdfT+HsNwtUA/mSwHKPIcHtUgrPNoPIDMLT1bP6Iw3B3O?= =?iso-8859-1?Q?SB8AA24/CasammYp6gAQamVl9SupznAK4cuMjd+FOj0sR/u5dqbbpirPtm?= =?iso-8859-1?Q?La3VVwcj7o3YtoSu/oRf1hVnQE9zNNJzDj2zhSLIMIP2wYHNH1F9c+FvQP?= =?iso-8859-1?Q?vSIqXHa/HpAO9YLo/ZVAWD8ojgFqMioDaL86+JAuQLFpSk88h7UDyISfXe?= =?iso-8859-1?Q?63lidEtwrsKNyPAHKSGDKOKkUtbfpHMxwaytAyMKQIWCWLn+uRcf8+PI/S?= =?iso-8859-1?Q?MuM+Ju3cA6zD+FnXyTvrb0KmO7hYNSxMUCKFVad53LclNiWIubgRe9Zidw?= =?iso-8859-1?Q?PLASwM9ieBN3czgSWVBvlbTMXvF3awvZDOBQYqpyFhyz5CNg3DVDIDKAJU?= =?iso-8859-1?Q?Igj39aDMMj0+0B0AnuFMAlXkI05LjzEGg7Xau473SCBZ0ZVPPaaW8Y7yUG?= =?iso-8859-1?Q?FU1+L4PI8XeoSwdC/Uqd0ic3934qHKaEOE3INbP3tt47/a3XXBUl9k4cxd?= =?iso-8859-1?Q?OlmDTqcchMpbt3S4QgkVlgvAmmUJRWP0UHVsovUyAvrKTk/TVJwbxQQTv3?= =?iso-8859-1?Q?f4Si564/i0ClMVFJWhxkdrtZUjqifAvXeS0OVFK7sFYKj1IgJDwfipLHcx?= =?iso-8859-1?Q?Bm73fLEvO6To5G5FiqiMFhGVu3Gybcc2fLcouFGnuQYInnBxJOxBPz5mQ7?= =?iso-8859-1?Q?JZIv4QbGfM9T/E3x21s4PKesS2UPKxwW5mAJNAbql5haDBsk0UedeIWR3I?= =?iso-8859-1?Q?2c4ulcaaWV/oCd3ESXotlXCSlPPZfAJiLqsOitOQ95TA9aTHTE2s5hJRWh?= =?iso-8859-1?Q?zDOazv5UXqwaZlhueSROlYfu+F1lXsrmSfwTf1EgtwG7I15i/PExUGQeES?= =?iso-8859-1?Q?yXF8c4kncryglijTWM6D98xT/J5wpbPl3BkkpINvIMdkqAIso6pb80y6Rl?= =?iso-8859-1?Q?oALB2HiKAYGpkLgk3xTQgCKUgznbZ4v8O4oY6hJ+NVO2OUh/dQEJH9ndRE?= =?iso-8859-1?Q?g0ys/gix32ccWAU0vja/jeR+ReJlSvUBYo1oZ5f2oRb9uOkKiz4JlZEw5B?= =?iso-8859-1?Q?RYmMQNbQy9Xkz+biUtHWHlUfKnwid8eZC+eSGjko8uoDlDqZEKOmifF1rB?= =?iso-8859-1?Q?KkhbtB2vxtdwnUQeP6BCxrQMELCO+EwGo9apKvTM55Qx/iW8WTwC46Ba2G?= =?iso-8859-1?Q?k1KAJXztAryHqUilEMyc70QS9yUFSWBPbSWNIrUPv/Q3HKIcMdieR1dk2M?= =?iso-8859-1?Q?7ObO6DO3MIndjG/GuD56UCFPnegaiODD8HB73BnOOHZZq6mkZsT6eg8tXd?= =?iso-8859-1?Q?3Hr94nfJtypAcsSqbzmPI/6CQmCt3Ylim5NFKiI6a05JKtlvCDsu4=3D?= x-ms-exchange-transport-forked: True Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-OriginatorOrg: uoguelph.ca X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: YQXPR0101MB0968.CANPRD01.PROD.OUTLOOK.COM X-MS-Exchange-CrossTenant-Network-Message-Id: 2a96046f-557a-4fa2-b58e-08d8e984b30a X-MS-Exchange-CrossTenant-originalarrivaltime: 17 Mar 2021 20:39:02.0384 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: be62a12b-2cad-49a1-a5fa-85f4f3156a7d X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: 4Mi/B8Y54E1nNqFVUv+Z9akJMi4grnD59JEUDG2BYNxnSUuQTRY7BQJHpagcDhI+shOleQ9tgg5MwAGOgKqv8Q== X-MS-Exchange-Transport-CrossTenantHeadersStamped: YQXPR0101MB0741 X-Rspamd-Queue-Id: 4F127X5Kjjz3JSg X-Spamd-Bar: ----- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=uoguelph.ca header.s=selector1 header.b=artOlYfr; arc=pass (microsoft.com:s=arcselector9901:i=1); dmarc=pass (policy=none) header.from=uoguelph.ca; spf=pass (mx1.freebsd.org: domain of rmacklem@uoguelph.ca designates 40.107.66.76 as permitted sender) smtp.mailfrom=rmacklem@uoguelph.ca X-Spamd-Result: default: False [-5.98 / 15.00]; TO_DN_EQ_ADDR_SOME(0.00)[]; TO_DN_SOME(0.00)[]; R_SPF_ALLOW(-0.20)[+ip4:40.107.0.0/16]; RCVD_COUNT_THREE(0.00)[3]; DKIM_TRACE(0.00)[uoguelph.ca:+]; RCPT_COUNT_TWO(0.00)[2]; DMARC_POLICY_ALLOW(-0.50)[uoguelph.ca,none]; NEURAL_HAM_SHORT(-0.98)[-0.981]; FROM_EQ_ENVFROM(0.00)[]; RCVD_TLS_LAST(0.00)[]; RBL_DBL_DONT_QUERY_IPS(0.00)[40.107.66.76:from]; ARC_ALLOW(-1.00)[microsoft.com:s=arcselector9901:i=1]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:8075, ipnet:40.104.0.0/14, country:US]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; R_DKIM_ALLOW(-0.20)[uoguelph.ca:s=selector1]; FREEFALL_USER(0.00)[rmacklem]; FROM_HAS_DN(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000]; MIME_GOOD(-0.10)[text/plain]; SPAMHAUS_ZRD(0.00)[40.107.66.76:from:127.0.2.255]; DWL_DNSWL_LOW(-1.00)[uoguelph.ca:dkim]; TO_MATCH_ENVRCPT_SOME(0.00)[]; RCVD_IN_DNSWL_NONE(0.00)[40.107.66.76:from]; RWL_MAILSPIKE_POSSIBLE(0.00)[40.107.66.76:from]; MAILMAN_DEST(0.00)[freebsd-current] X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 17 Mar 2021 20:39:05 -0000 J. wrote:=0A= >On Tue, Mar 16, 2021 at 11:46:27PM +0000, Rick Macklem wrote:=0A= >>Well, if you do "sysctl -a | fgrep kern.ipc.tls.stats" and it is working,= =0A= >>you should see the count for at least one of the "crypts" ticking up.=0A= >>If they are all zero, it isn't working. That might depend on the apps=0A= >>or setup and does not necessarily indicate broken.=0A= >=0A= >OK. it's "not working" by those criteria on the stable/13 rpi4.=0A= >This one has mutt (imaps) and lynx (https) installed. mutt appears to=0A= >use tlsv1.3 to connect with my email provider.=0A= I know that the receive direction only works for TLS1.2. Not sure=0A= about the xmit direction?=0A= =0A= Make sure you've done the following:=0A= ktls_ocf - is loaded=0A= these sysctls are set to 1=0A= kern.ipc.tls.enable=0A= kern.ipc.mb_use_ext_pgs=0A= =0A= Beyond that, it will take someone more knowledgible to figure=0A= out if it can work for these apps?=0A= (To be honest, for userspace applications I'm not sure there is=0A= any advantage to using KTLS unless you have specialized=0A= hardware.=0A= =0A= rick=0A= =0A= >Trying the nfs-over-tls should definitely test it. When it works, the=0A= >data on the wire after the first couple of Null RPCs is encrypted.=0A= >Also, if you start the daemons with "-v",=0A= =0A= This is what i'll try once buildworld etc completes on the main/14 rpi4.=0A= --=0A= J.=0A=