Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 25 Jan 2021 14:45:34 +0000
From:      Rick Macklem <rmacklem@uoguelph.ca>
To:        Benjamin Kaduk <kaduk@mit.edu>
Cc:        Ronald Klop <ronald-lists@klop.ws>, "freebsd-current@freebsd.org" <freebsd-current@freebsd.org>
Subject:   Re: Can In-Kernel TLS (kTLS) work with any OpenSSL Application?
Message-ID:  <YQXPR0101MB09683616001F91654CD27FE5DDBD0@YQXPR0101MB0968.CANPRD01.PROD.OUTLOOK.COM>
In-Reply-To: <20210125054656.GR21@kduck.mit.edu>
References:  <bd56c9d3711738d65a074d73c04addd2@freebsd.org> <op.0xoawf2bkndu52@joepie> <YQXPR0101MB0968D75B9A846C4F91461A7DDDBF0@YQXPR0101MB0968.CANPRD01.PROD.OUTLOOK.COM>, <20210125054656.GR21@kduck.mit.edu>
index | next in thread | previous in thread | raw e-mail 

Benjamin Kaduk wrote:
>On Sat, Jan 23, 2021 at 03:25:59PM +0000, Rick Macklem wrote:
>> Ronald Klop wrote:
>> >On Wed, 20 Jan 2021 21:21:15 +0100, Neel Chauhan <nc@freebsd.org> wrote:
>> >But I think for Tor to support KTLS it needs to implement some things
>> >itself. More information about that could be asked at the maintainer of
>> >the port (https://www.freshports.org/security/tor/) or upstream at the Tor
>> >project.
>> To just make it work, I don't think changes are needed beyond linking to
>> the correct OpenSSL libraries (assuming it uses OpenSSL, of course).
>> (There are new library calls an application can use to check to see if
>> KTLS is enabled for the connection, but if it doesn't care, I don't think
>> those calls are needed?)
>>
>> You do need to run a kernel with "options KERN_TLS" and set
>> kern.ipc.tls.enable=1
>> kern.ipc.mb_use_ext_pgs=1
>
>Note that upstream openssl is expecting to change in what ways ktls is
>(en/dis)abled by default; see
>https://github.com/openssl/openssl/issues/13794
Thanks for the pointer Ben.
It appears that
SSL_CTX_clear_mode(ctx, SSL_MODE_NO_KTLS_TX | SSL_MODE_NO_KTLS_RX)
or similar will soon be needed to enable it.
I'll add this call to the nfs-over-tls daemons, since it should be harmless to do.

Thanks for mentioning this, rick

-Ben
_______________________________________________
freebsd-current@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-current-unsubscribe@freebsd.org"
home | help

Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?YQXPR0101MB09683616001F91654CD27FE5DDBD0>