Date: Mon, 25 Jan 2021 14:45:34 +0000 From: Rick Macklem <rmacklem@uoguelph.ca> To: Benjamin Kaduk <kaduk@mit.edu> Cc: Ronald Klop <ronald-lists@klop.ws>, "freebsd-current@freebsd.org" <freebsd-current@freebsd.org> Subject: Re: Can In-Kernel TLS (kTLS) work with any OpenSSL Application? Message-ID: <YQXPR0101MB09683616001F91654CD27FE5DDBD0@YQXPR0101MB0968.CANPRD01.PROD.OUTLOOK.COM> In-Reply-To: <20210125054656.GR21@kduck.mit.edu> References: <bd56c9d3711738d65a074d73c04addd2@freebsd.org> <op.0xoawf2bkndu52@joepie> <YQXPR0101MB0968D75B9A846C4F91461A7DDDBF0@YQXPR0101MB0968.CANPRD01.PROD.OUTLOOK.COM>, <20210125054656.GR21@kduck.mit.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
Benjamin Kaduk wrote:=0A= >On Sat, Jan 23, 2021 at 03:25:59PM +0000, Rick Macklem wrote:=0A= >> Ronald Klop wrote:=0A= >> >On Wed, 20 Jan 2021 21:21:15 +0100, Neel Chauhan <nc@freebsd.org> wrote= :=0A= >> >But I think for Tor to support KTLS it needs to implement some things= =0A= >> >itself. More information about that could be asked at the maintainer of= =0A= >> >the port (https://www.freshports.org/security/tor/) or upstream at the = Tor=0A= >> >project.=0A= >> To just make it work, I don't think changes are needed beyond linking to= =0A= >> the correct OpenSSL libraries (assuming it uses OpenSSL, of course).=0A= >> (There are new library calls an application can use to check to see if= =0A= >> KTLS is enabled for the connection, but if it doesn't care, I don't thin= k=0A= >> those calls are needed?)=0A= >>=0A= >> You do need to run a kernel with "options KERN_TLS" and set=0A= >> kern.ipc.tls.enable=3D1=0A= >> kern.ipc.mb_use_ext_pgs=3D1=0A= >=0A= >Note that upstream openssl is expecting to change in what ways ktls is=0A= >(en/dis)abled by default; see=0A= >https://github.com/openssl/openssl/issues/13794=0A= Thanks for the pointer Ben.=0A= It appears that=0A= SSL_CTX_clear_mode(ctx, SSL_MODE_NO_KTLS_TX | SSL_MODE_NO_KTLS_RX)=0A= or similar will soon be needed to enable it.=0A= I'll add this call to the nfs-over-tls daemons, since it should be harmless= to do.=0A= =0A= Thanks for mentioning this, rick=0A= =0A= -Ben=0A= _______________________________________________=0A= freebsd-current@freebsd.org mailing list=0A= https://lists.freebsd.org/mailman/listinfo/freebsd-current=0A= To unsubscribe, send any mail to "freebsd-current-unsubscribe@freebsd.org"= =0A= =0A=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?YQXPR0101MB09683616001F91654CD27FE5DDBD0>