Date: Mon, 26 Aug 2019 17:14:42 -0700 From: John Baldwin <jhb@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: Re: svn commit: r351522 - in head: sbin/ifconfig share/man/man4 sys/conf sys/kern sys/modules sys/modules/ktls_ocf sys/net sys/netinet sys/netinet/tcp_stacks sys/netinet6 sys/opencrypto sys/sys tools/t... Message-ID: <e744fd19-0f4e-ca5f-9b87-d48e1791a7f2@FreeBSD.org> In-Reply-To: <201908270001.x7R01vUB052426@repo.freebsd.org> References: <201908270001.x7R01vUB052426@repo.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On 8/26/19 5:01 PM, John Baldwin wrote: > Author: jhb > Date: Tue Aug 27 00:01:56 2019 > New Revision: 351522 > URL: https://svnweb.freebsd.org/changeset/base/351522 > > Log: > Add kernel-side support for in-kernel TLS. The length of the commit message notwithstanding, there is still quite a bit more work to do on this front. Making use of KTLS requires an SSL library that understands the new functionality, and for the full performance gain you want an application that makes use of SSL_sendfile. Netflix has both of these in the form of patches to OpenSSL and nginx. I'm currently working on a patchset suitable for merging into upstream OpenSSL's master (the Linux KTLS patches are merged into OpenSSL master already, so the FreeBSD patches are fairly small). One thing to note is that while the KTLS OCF backend in this commit is functional, it is not ideal. One of the SW crypto backends Netflix uses internally is based on Intel's ISA-L crypto library. I put together a port for this based on the public ISA-L crpyto library repository on GitHub today and hope to have it up for review soon. -- John Baldwin
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?e744fd19-0f4e-ca5f-9b87-d48e1791a7f2>