From owner-freebsd-current@freebsd.org Mon Jan 25 14:45:37 2021 Return-Path: Delivered-To: freebsd-current@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id ED0374E502D for ; Mon, 25 Jan 2021 14:45:37 +0000 (UTC) (envelope-from rmacklem@uoguelph.ca) Received: from CAN01-TO1-obe.outbound.protection.outlook.com (mail-eopbgr670052.outbound.protection.outlook.com [40.107.67.52]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mail.protection.outlook.com", Issuer "GlobalSign Organization Validation CA - SHA256 - G3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4DPXjD14htz4WwK for ; Mon, 25 Jan 2021 14:45:35 +0000 (UTC) (envelope-from rmacklem@uoguelph.ca) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=goCyOwGytUBaN4sBPHDvaGV5isFAJAm07kB278/bCTp4MewClk0LZe2U2uAD5OD2z7/iF0d/l+WQSF38ivqpGkVRX+Iul2sA9s/2FcgwueQBYtd8heZabsD7Cq6USlZZo91s7vUOTUGjyNdebvNFm5Li86mNU3gfx+o8+UiMj+bzhXHRUBiZuBh7b2jq5xELSmNlx0/LlPX68f0qhcrFgAwHhxsS6X6XjL/7ZW9C1iwnHpeBLkf77uJ9zweyY2zn1CZ6ZZnKNDY5fOKKhiH/4atSyRM2xhBHOQ5bj2oeSR9Q6frafokfLL5HhgYp3ZCytDcBAVz1+Q4iGAPwsHoizA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=unz/0ZCJKL79dynLtD9g6nsSvq0WEhAwlO4U65VBCmk=; b=QC6L0Ba9rsc2g/TC3iwMNor8Ke8OzCdSc/IxvbJmBu4gC7FjC4qSBymktkaUtaaPfMHRj4pxX5gOPCLEMA6ywnUgp7y4uDStoczPYLJbGzKZx9/ukn0ICK7aT2H96Zpa8qqmCVi7BkxlmikoRVvVqZhOFLGayW5egjIMrS8DzoeNMn4d2Lu4gFwmMRqEw7Q7F0HV6ZbG3Vd5XZH1eMip+R1BR2abfKdmJV/k6VOW+vIlycejeJ1uKb48vofqxy2v1kkaxD0j68KvC4KzoZWCeBOaVWDGkqrK7Of9m4A4gTbf+Q6ZlD24IbXrge3h2x02fLbD2f97I/vCezxVjH1FyQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=uoguelph.ca; dmarc=pass action=none header.from=uoguelph.ca; dkim=pass header.d=uoguelph.ca; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=uoguelph.ca; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=unz/0ZCJKL79dynLtD9g6nsSvq0WEhAwlO4U65VBCmk=; b=JfCQTiJbZok45ypo7UhF4inQZIJ6E+wC2QKy15Y7Qa4xoUAa62VDi84VjYB+Y179dGwGcLcxtCHG/Xf+Ey4fgaFOuLFqoW+554Hqn6TAE9MEGRzgl9cbZnkJDviV4sXpSOUgC8x95rgbf9jNmH27VRXu7e+n0He1DTQ1jpRJoewD+IS/CMLEzLe0QAwL6dqqTcW0i5DfUBqZCVYFTI8LStzSVxjl32PRrHwHtQbLaGliePY4c0/sVbH5dYLEhrwLr/EKmzMS9BO7EBrL9PxPLOaGyQfWXDqH2CxrCjlkbD9jrbWph/zCxJIZpmcP+Gf+C+cjJAUEu1z1LVBo2pSUcQ== Received: from YQXPR0101MB0968.CANPRD01.PROD.OUTLOOK.COM (2603:10b6:c00:19::29) by YQXPR01MB2664.CANPRD01.PROD.OUTLOOK.COM (2603:10b6:c00:44::19) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3784.11; Mon, 25 Jan 2021 14:45:34 +0000 Received: from YQXPR0101MB0968.CANPRD01.PROD.OUTLOOK.COM ([fe80::6073:6fc0:5ddf:dc8a]) by YQXPR0101MB0968.CANPRD01.PROD.OUTLOOK.COM ([fe80::6073:6fc0:5ddf:dc8a%7]) with mapi id 15.20.3784.019; Mon, 25 Jan 2021 14:45:34 +0000 From: Rick Macklem To: Benjamin Kaduk CC: Ronald Klop , "freebsd-current@freebsd.org" Subject: Re: Can In-Kernel TLS (kTLS) work with any OpenSSL Application? Thread-Topic: Can In-Kernel TLS (kTLS) work with any OpenSSL Application? Thread-Index: AQHW72nXjq3dxqCEc0+vdfHyry1d96o1K3uAgAAlSjWAAotiAIAAlKAq Date: Mon, 25 Jan 2021 14:45:34 +0000 Message-ID: References: , <20210125054656.GR21@kduck.mit.edu> In-Reply-To: <20210125054656.GR21@kduck.mit.edu> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: 205b4e80-832e-4154-580f-08d8c13fdf45 x-ms-traffictypediagnostic: YQXPR01MB2664: x-microsoft-antispam-prvs: x-ms-oob-tlc-oobclassifiers: OLM:9508; x-ms-exchange-senderadcheck: 1 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: x+8BngPuEduozgq1yRVUrH1oQ9mxLNujm+OZdg8f3EKCr2c5i8/GrsUXyJs6HFAF2zv8lAUNC6APA8CIe7fGQX6VtEEXCQMy1AKfQESw2KZz65cUHHITwADl5sgf2a53XVxy7ovWFaM+g+YRrrJE6po1oEf33zdTKVnNucObTd1DO60qK/wtDR/JF/+x6HrJ5Y4EzvlYkDwD0aGlmRhDHe+tbA5/9tPuw4bf/sqOQZNjP0yA9edU2ZkM/MWeF8HzH4IPUK7RvN1OlfFOu2jFjwqfgs+SEtgTg3EgfZ5xi4OkQeyJPuc3Rp/zwAJNbUGy6K0ZdLAasvefEc3NDEdfj+UCGyvaQhfEFaHh76RV0oeu6DYQ6C2DetLDMnaCQxDlN5r9b5FzBwvu+Aw+4EOp/KWZlUZYyWAkZkjlz9B7rRy5Bd3G02YWBRPYIFHMe/wgN/Dwx7nyuGhviUjYQzkOSA== x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:YQXPR0101MB0968.CANPRD01.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(396003)(39860400002)(136003)(376002)(346002)(366004)(2906002)(91956017)(76116006)(66946007)(66446008)(66556008)(66476007)(64756008)(86362001)(478600001)(6916009)(71200400001)(786003)(54906003)(316002)(5660300002)(83380400001)(8676002)(4326008)(52536014)(9686003)(33656002)(966005)(186003)(6506007)(8936002)(55016002)(7696005); DIR:OUT; SFP:1101; x-ms-exchange-antispam-messagedata: =?iso-8859-1?Q?xKZXLrzsH6otlNchNfQLocgitMg+KKzO/kuyXifqozuWwKL+dq4MF11cvK?= =?iso-8859-1?Q?Goa/AgmPLZ5Wp2Yk30LolAyO54Er65zG5bz1WwO5gZCafiyi7BEWaWiahn?= =?iso-8859-1?Q?kVngmSr6NvhK/gZawC9+A8rLc9UqvfMQzf1jgRVDHMLTFz5a/vJalwLELP?= =?iso-8859-1?Q?Vz+WXNYpUhk8GCV8bfdLtAgGWkG+wofjgnvE7NxShTsmqo5XqRgmS5D5X4?= =?iso-8859-1?Q?gheHE9n8QtFZsEx1dtWNHN+wDM4uN8RALLef5oyf4+LZL92ruA84+bzYKY?= =?iso-8859-1?Q?c9xWG5MhBb4p8ggh6WTugofA/j+xgaTc1RPnsmJy8ZWn8rlJQ/W8bMh4OP?= =?iso-8859-1?Q?vJkBC4ChJCl3WnOSQL/f7AJuYKU+xR7MXeDqYqJ4fjtEL0BqM2gMUU6gDf?= =?iso-8859-1?Q?YiPQwj5VdtSLwq7sqDMOsg37CNN9BdwRQvzbF1uKGllwihEvf/yF6YPKD7?= =?iso-8859-1?Q?7TyreUJYBqqspM0K+2bpQooozD7vQn7QH+qRZ++KukTJmc0V5gidbUQpmQ?= =?iso-8859-1?Q?/4cAabeg1Vp5lqxW5X5fSnlPX3QGewbm0pZBdV48vl43T4K1aSWDBqGor/?= =?iso-8859-1?Q?Dk3PWagP+5Q5R48f1g5d0JeUzGdrhIhYhKXs2evavJEbyy86xqfYmKVCG3?= =?iso-8859-1?Q?1KO4MUq0kxXCnCCjmL0A+xKQuWrgauyopp7XvaUCTH4sAkoEe/Vt8z/JY4?= =?iso-8859-1?Q?QGqm386gZV0Opdmaep4EYBcTVKRoNU/P/Ir/romOhvWKJS3puODz0Mbp9r?= =?iso-8859-1?Q?HbefDoWKWGfiAeW6drtV9hC8t7xV2wBYttu0H+jHNeOX7MhheP9nyRZS/X?= =?iso-8859-1?Q?0/e73SmdPstbXrL4HbGPBb9gvdqNN22NsC62f6cXA62AZG2M2bUv//rAn1?= =?iso-8859-1?Q?EYZ82gNBpQEbuMbnA92p7W54Bi8fdy5Y8YEOZtxabkfxhiXy9W5z3YblG5?= =?iso-8859-1?Q?cOWq9G+y29DCgJhWPWYsh5dn6Ou1AjuciFNX9cH1Dtl8dBRSFBR71yDrxw?= =?iso-8859-1?Q?IXpY/Mk4l6OjnjXX7m+3VQFwWim02MOs973NpogVkQIJ8ei6H92SFW7FRN?= =?iso-8859-1?Q?TJMcxp/4nNq+nLPR3mEVkoEs5+uTkU7PR7yuE2sZMEzmwrirTyQWDgqG89?= =?iso-8859-1?Q?ODy2lX1TKbwnys75zbj6AIkXHIwGuN9jzDHi97E0tfi1jLL21y?= x-ms-exchange-transport-forked: True Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-OriginatorOrg: uoguelph.ca X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: YQXPR0101MB0968.CANPRD01.PROD.OUTLOOK.COM X-MS-Exchange-CrossTenant-Network-Message-Id: 205b4e80-832e-4154-580f-08d8c13fdf45 X-MS-Exchange-CrossTenant-originalarrivaltime: 25 Jan 2021 14:45:34.5169 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: be62a12b-2cad-49a1-a5fa-85f4f3156a7d X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: iNNXvR4rz3OSxVNfWTQtnwTTdkJasqRcJ7Ya91VH7nSuboUGPViW1yelsxo7MBCMXLsd97Yc6gti5AyGgv2xOw== X-MS-Exchange-Transport-CrossTenantHeadersStamped: YQXPR01MB2664 X-Rspamd-Queue-Id: 4DPXjD14htz4WwK X-Spamd-Bar: ----- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=uoguelph.ca header.s=selector1 header.b=JfCQTiJb; arc=pass (microsoft.com:s=arcselector9901:i=1); dmarc=pass (policy=none) header.from=uoguelph.ca; spf=pass (mx1.freebsd.org: domain of rmacklem@uoguelph.ca designates 40.107.67.52 as permitted sender) smtp.mailfrom=rmacklem@uoguelph.ca X-Spamd-Result: default: False [-5.00 / 15.00]; TO_DN_EQ_ADDR_SOME(0.00)[]; TO_DN_SOME(0.00)[]; R_SPF_ALLOW(-0.20)[+ip4:40.107.0.0/16]; RCVD_COUNT_THREE(0.00)[3]; DKIM_TRACE(0.00)[uoguelph.ca:+]; DMARC_POLICY_ALLOW(-0.50)[uoguelph.ca,none]; NEURAL_HAM_SHORT(-1.00)[-1.000]; FROM_EQ_ENVFROM(0.00)[]; SUBJECT_ENDS_QUESTION(1.00)[]; RBL_DBL_DONT_QUERY_IPS(0.00)[40.107.67.52:from]; ARC_ALLOW(-1.00)[microsoft.com:s=arcselector9901:i=1]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:8075, ipnet:40.104.0.0/14, country:US]; RCVD_TLS_LAST(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; R_DKIM_ALLOW(-0.20)[uoguelph.ca:s=selector1]; FREEFALL_USER(0.00)[rmacklem]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[3]; NEURAL_HAM_LONG(-1.00)[-1.000]; MIME_GOOD(-0.10)[text/plain]; DWL_DNSWL_LOW(-1.00)[uoguelph.ca:dkim]; SPAMHAUS_ZRD(0.00)[40.107.67.52:from:127.0.2.255]; TO_MATCH_ENVRCPT_SOME(0.00)[]; RCVD_IN_DNSWL_NONE(0.00)[40.107.67.52:from]; RWL_MAILSPIKE_POSSIBLE(0.00)[40.107.67.52:from]; MAILMAN_DEST(0.00)[freebsd-current] X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 25 Jan 2021 14:45:38 -0000 Benjamin Kaduk wrote:=0A= >On Sat, Jan 23, 2021 at 03:25:59PM +0000, Rick Macklem wrote:=0A= >> Ronald Klop wrote:=0A= >> >On Wed, 20 Jan 2021 21:21:15 +0100, Neel Chauhan wrote= :=0A= >> >But I think for Tor to support KTLS it needs to implement some things= =0A= >> >itself. More information about that could be asked at the maintainer of= =0A= >> >the port (https://www.freshports.org/security/tor/) or upstream at the = Tor=0A= >> >project.=0A= >> To just make it work, I don't think changes are needed beyond linking to= =0A= >> the correct OpenSSL libraries (assuming it uses OpenSSL, of course).=0A= >> (There are new library calls an application can use to check to see if= =0A= >> KTLS is enabled for the connection, but if it doesn't care, I don't thin= k=0A= >> those calls are needed?)=0A= >>=0A= >> You do need to run a kernel with "options KERN_TLS" and set=0A= >> kern.ipc.tls.enable=3D1=0A= >> kern.ipc.mb_use_ext_pgs=3D1=0A= >=0A= >Note that upstream openssl is expecting to change in what ways ktls is=0A= >(en/dis)abled by default; see=0A= >https://github.com/openssl/openssl/issues/13794=0A= Thanks for the pointer Ben.=0A= It appears that=0A= SSL_CTX_clear_mode(ctx, SSL_MODE_NO_KTLS_TX | SSL_MODE_NO_KTLS_RX)=0A= or similar will soon be needed to enable it.=0A= I'll add this call to the nfs-over-tls daemons, since it should be harmless= to do.=0A= =0A= Thanks for mentioning this, rick=0A= =0A= -Ben=0A= _______________________________________________=0A= freebsd-current@freebsd.org mailing list=0A= https://lists.freebsd.org/mailman/listinfo/freebsd-current=0A= To unsubscribe, send any mail to "freebsd-current-unsubscribe@freebsd.org"= =0A= =0A=