Date: Tue, 24 Aug 2021 01:01:49 GMT From: John Baldwin <jhb@FreeBSD.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org Subject: git: a1509acded2f - stable/13 - OpenSSL: Update KTLS documentation Message-ID: <202108240101.17O11n3B026297@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help
The branch stable/13 has been updated by jhb: URL: https://cgit.FreeBSD.org/src/commit/?id=a1509acded2ff9ccfbbe10d9d8d5282b62370443 commit a1509acded2ff9ccfbbe10d9d8d5282b62370443 Author: John Baldwin <jhb@FreeBSD.org> AuthorDate: 2021-08-17 21:39:32 +0000 Commit: John Baldwin <jhb@FreeBSD.org> CommitDate: 2021-08-24 00:59:35 +0000 OpenSSL: Update KTLS documentation KTLS support has been changed to be off by default, and configuration is via a single "option" rather two "modes". Documentation is updated accordingly. Reviewed by: jkim Obtained from: OpenSSL (6878f4300213cfd7d4f01e26a8b97f70344da100) Sponsored by: Netflix Differential Revision: https://reviews.freebsd.org/D31441 (cherry picked from commit a208223130fb12daac9b4f52be1b3477b03ac521) --- crypto/openssl/doc/man3/SSL_CONF_cmd.pod | 4 ++++ crypto/openssl/doc/man3/SSL_CTX_set_mode.pod | 17 ----------------- crypto/openssl/doc/man3/SSL_CTX_set_options.pod | 23 +++++++++++++++++++++++ 3 files changed, 27 insertions(+), 17 deletions(-) diff --git a/crypto/openssl/doc/man3/SSL_CONF_cmd.pod b/crypto/openssl/doc/man3/SSL_CONF_cmd.pod index 900c4f3a5648..a3f447a986e3 100644 --- a/crypto/openssl/doc/man3/SSL_CONF_cmd.pod +++ b/crypto/openssl/doc/man3/SSL_CONF_cmd.pod @@ -495,6 +495,10 @@ specification. Some applications may be able to mitigate the replay risks in other ways and in such cases the built-in OpenSSL functionality is not required. Disabling anti-replay is equivalent to setting B<SSL_OP_NO_ANTI_REPLAY>. +B<KTLS>: Enables kernel TLS if support has been compiled in, and it is supported +by the negotiated ciphersuites and extensions. Equivalent to +B<SSL_OP_ENABLE_KTLS>. + =item B<VerifyMode> The B<value> argument is a comma separated list of flags to set. diff --git a/crypto/openssl/doc/man3/SSL_CTX_set_mode.pod b/crypto/openssl/doc/man3/SSL_CTX_set_mode.pod index 27eaebad1ea0..85e3353e0e2c 100644 --- a/crypto/openssl/doc/man3/SSL_CTX_set_mode.pod +++ b/crypto/openssl/doc/man3/SSL_CTX_set_mode.pod @@ -114,22 +114,6 @@ enables this behaviour to allow interoperability with such broken implementations. Please note that setting this option breaks interoperability with correct implementations. This option only applies to DTLS over SCTP. -=item SSL_MODE_NO_KTLS_TX - -Disable the use of the kernel TLS egress data-path. -By default kernel TLS is enabled if it is supported by the negotiated ciphersuites -and extensions and OpenSSL has been compiled with support for it. -The kernel TLS data-path implements the record layer, -and the crypto algorithm. The kernel will utilize the best hardware -available for crypto. Using the kernel data-path should reduce the memory -footprint of OpenSSL because no buffering is required. Also, the throughput -should improve because data copy is avoided when user data is encrypted into -kernel memory instead of the usual encrypt than copy to kernel. - -Kernel TLS might not support all the features of OpenSSL. For instance, -renegotiation, and setting the maximum fragment size is not possible as of -Linux 4.20. - =back All modes are off by default except for SSL_MODE_AUTO_RETRY which is on by @@ -150,7 +134,6 @@ L<SSL_write(3)>, L<SSL_get_error(3)> =head1 HISTORY SSL_MODE_ASYNC was added in OpenSSL 1.1.0. -SSL_MODE_NO_KTLS_TX was first added to OpenSSL 3.0.0. =head1 COPYRIGHT diff --git a/crypto/openssl/doc/man3/SSL_CTX_set_options.pod b/crypto/openssl/doc/man3/SSL_CTX_set_options.pod index 969e0366c45a..231fe92d8e78 100644 --- a/crypto/openssl/doc/man3/SSL_CTX_set_options.pod +++ b/crypto/openssl/doc/man3/SSL_CTX_set_options.pod @@ -237,6 +237,29 @@ functionality is not required. Those applications can turn this feature off by setting this option. This is a server-side opton only. It is ignored by clients. +=item SSL_OP_ENABLE_KTLS + +Enable the use of kernel TLS. In order to benefit from kernel TLS OpenSSL must +have been compiled with support for it, and it must be supported by the +negotiated ciphersuites and extensions. The specific ciphersuites and extensions +that are supported may vary by platform and kernel version. + +The kernel TLS data-path implements the record layer, and the encryption +algorithm. The kernel will utilize the best hardware +available for encryption. Using the kernel data-path should reduce the memory +footprint of OpenSSL because no buffering is required. Also, the throughput +should improve because data copy is avoided when user data is encrypted into +kernel memory instead of the usual encrypt then copy to kernel. + +Kernel TLS might not support all the features of OpenSSL. For instance, +renegotiation, and setting the maximum fragment size is not possible as of +Linux 4.20. + +Note that with kernel TLS enabled some cryptographic operations are performed +by the kernel directly and not via any available OpenSSL Providers. This might +be undesirable if, for example, the application requires all cryptographic +operations to be performed by the FIPS provider. + =back The following options no longer have any effect but their identifiers are
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202108240101.17O11n3B026297>