From owner-freebsd-current@freebsd.org Wed Jan 20 20:21:24 2021 Return-Path: Delivered-To: freebsd-current@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id E09894D8ED0 for ; Wed, 20 Jan 2021 20:21:24 +0000 (UTC) (envelope-from nc@freebsd.org) Received: from rainpuddle.neelc.org (rainpuddle.neelc.org [IPv6:2001:19f0:8001:fed:5400:2ff:fe73:c622]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4DLcP046Svz3nML for ; Wed, 20 Jan 2021 20:21:24 +0000 (UTC) (envelope-from nc@freebsd.org) Received: from mail.neelc.org (rainpuddle.neelc.org [IPv6:2001:19f0:8001:fed:5400:2ff:fe73:c622]) by rainpuddle.neelc.org (Postfix) with ESMTPSA id 610A5EB2A5 for ; Wed, 20 Jan 2021 12:21:15 -0800 (PST) MIME-Version: 1.0 Date: Wed, 20 Jan 2021 12:21:15 -0800 From: Neel Chauhan To: freebsd-current@freebsd.org Subject: Can In-Kernel TLS (kTLS) work with any OpenSSL Application? User-Agent: Roundcube Webmail/1.4.9 Message-ID: X-Sender: nc@freebsd.org Content-Type: multipart/signed; protocol="application/pgp-signature"; boundary="=_938932f26e3bde6087a5ec59cc437c39"; micalg=pgp-sha256 X-Rspamd-Queue-Id: 4DLcP046Svz3nML X-Spamd-Bar: / X-Spamd-Result: default: False [0.00 / 15.00]; ASN(0.00)[asn:20473, ipnet:2001:19f0:8000::/38, country:US]; local_wl_from(0.00)[freebsd.org] X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 20 Jan 2021 20:21:24 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --=_938932f26e3bde6087a5ec59cc437c39 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=US-ASCII; format=flowed Hi freebsd-current@, I know that In-Kernel TLS was merged into the FreeBSD HEAD tree a while back. With 13.0-RELEASE around the corner, I'm thinking about upgrading my home server, well if I can accelerate any SSL application. I'm asking because I have a home server on a symmetrical Gigabit connection (Google Fiber/Webpass), and that server runs a Tor relay. If you're interested in how Tor works, the EFF has a writeup: https://www.eff.org/pages/what-tor-relay But the main point for you all is: more-or-less Tor relays deal with 1000s TLS connections going into and out of the server. Would In-Kernel TLS help with an application like Tor (or even load balancers/TLS termination), or is it more for things like web servers sending static files via sendfile() (e.g. CDN used by Netflix). My server could also work with Intel's QuickAssist (since it has an Intel Xeon "Scalable" CPU). Would QuickAssist SSL be more helpful here? I'm asking since I don't know whether to upgrade my home server to 13.x or leave it at 12.x. Yes, I do know we need a special OpenSSL to use kTLS. -Neel --=_938932f26e3bde6087a5ec59cc437c39 Content-Type: application/pgp-signature; name=signature.asc Content-Disposition: attachment; filename=signature.asc; size=488 Content-Description: OpenPGP digital signature -----BEGIN PGP SIGNATURE----- iQEzBAEBCAAdFiEEFpeUj+sDItoNIly9vzSRBRPfYX0FAmAIkLsACgkQvzSRBRPf YX32lQgAmubLcb2ZwNDhct9DyQyPlfEzKNdWZeM0tmO8js/CgxGz8OmRSWxUYTP3 INsihSVd1TBHGsYqHwFR0jMYB4yy26rlGZO+F7jz8WsZN+R//MH3jE68CwNKMYPk ww622KczuxLdSLrhek/Dyq927teOYJE9BKJMed6Rlhx0eMN9Ic7OZrbhgrPwdM9M LbWusAP/4aLDtyTRE9ANjzsyoGH30K/SQoSTEihODLx3zd0sNo1NJVu70Vn53TWj 0/6XQr296mh7q5zA56bqkcuFqInlghF1OTIm7f82UR+tSZ2xpJWW7Yb/YwKvzcTH X7zuKROAevTrMfXTnjO5lmFtB8B8Bg== =/yZF -----END PGP SIGNATURE----- --=_938932f26e3bde6087a5ec59cc437c39--