From owner-freebsd-current@freebsd.org Sat Jan 23 12:42:09 2021 Return-Path: Delivered-To: freebsd-current@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id A02D74F3392 for ; Sat, 23 Jan 2021 12:42:09 +0000 (UTC) (envelope-from ronald-lists@klop.ws) Received: from smarthost1.greenhost.nl (smarthost1.greenhost.nl [195.190.28.88]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4DNG3h4Kp0z4S29 for ; Sat, 23 Jan 2021 12:42:08 +0000 (UTC) (envelope-from ronald-lists@klop.ws) Content-Type: text/plain; charset=iso-8859-15; format=flowed; delsp=yes To: freebsd-current@freebsd.org Subject: Re: Can In-Kernel TLS (kTLS) work with any OpenSSL Application? References: Date: Sat, 23 Jan 2021 13:42:05 +0100 MIME-Version: 1.0 Content-Transfer-Encoding: 7bit From: "Ronald Klop" Message-ID: In-Reply-To: User-Agent: Opera Mail/1.0 (Win32) X-Authenticated-As-Hash: bdb49c4ff80bd276e321aade33e76e02752072e2 X-Virus-Scanned: by clamav at smarthost1.greenhost.nl X-Spam-Level: --- X-Spam-Score: -3.1 X-Spam-Status: No, score=-3.1 required=5.0 tests=ALL_TRUSTED, BAYES_00, DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF autolearn=disabled version=3.4.2 X-Scan-Signature: a2d32f98be707cbcda8602d5fffa976a X-Rspamd-Queue-Id: 4DNG3h4Kp0z4S29 X-Spamd-Bar: -- X-Spamd-Result: default: False [-2.50 / 15.00]; ARC_NA(0.00)[]; RBL_DBL_DONT_QUERY_IPS(0.00)[195.190.28.88:from]; R_DKIM_ALLOW(-0.20)[klop.ws:s=mail]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; FROM_HAS_DN(0.00)[]; RWL_MAILSPIKE_GOOD(0.00)[195.190.28.88:from]; TO_MATCH_ENVRCPT_ALL(0.00)[]; R_SPF_ALLOW(-0.20)[+ip4:195.190.28.64/27]; MIME_GOOD(-0.10)[text/plain]; TO_DN_NONE(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000]; RCPT_COUNT_ONE(0.00)[1]; SPAMHAUS_ZRD(0.00)[195.190.28.88:from:127.0.2.255]; DKIM_TRACE(0.00)[klop.ws:+]; DMARC_POLICY_ALLOW(-0.50)[klop.ws,none]; RCVD_IN_DNSWL_NONE(0.00)[195.190.28.88:from]; NEURAL_HAM_SHORT(-1.00)[-1.000]; RCVD_COUNT_ZERO(0.00)[0]; FROM_EQ_ENVFROM(0.00)[]; MID_RHS_NOT_FQDN(0.50)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:47172, ipnet:195.190.28.0/24, country:NL]; SUBJECT_ENDS_QUESTION(1.00)[]; MAILMAN_DEST(0.00)[freebsd-current] X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 23 Jan 2021 12:42:09 -0000 On Wed, 20 Jan 2021 21:21:15 +0100, Neel Chauhan wrote: > Hi freebsd-current@, > > I know that In-Kernel TLS was merged into the FreeBSD HEAD tree a while > back. > > With 13.0-RELEASE around the corner, I'm thinking about upgrading my > home server, well if I can accelerate any SSL application. > > I'm asking because I have a home server on a symmetrical Gigabit > connection (Google Fiber/Webpass), and that server runs a Tor relay. If > you're interested in how Tor works, the EFF has a writeup: > https://www.eff.org/pages/what-tor-relay > > But the main point for you all is: more-or-less Tor relays deal with > 1000s TLS connections going into and out of the server. > > Would In-Kernel TLS help with an application like Tor (or even load > balancers/TLS termination), or is it more for things like web servers > sending static files via sendfile() (e.g. CDN used by Netflix). > > My server could also work with Intel's QuickAssist (since it has an > Intel Xeon "Scalable" CPU). Would QuickAssist SSL be more helpful here? > > I'm asking since I don't know whether to upgrade my home server to 13.x > or leave it at 12.x. Yes, I do know we need a special OpenSSL to use > kTLS. > > -Neel According to the history of the openssl port it has support for KTLS. https://www.freshports.org/security/openssl I don't know about the openssl in base. But I think for Tor to support KTLS it needs to implement some things itself. More information about that could be asked at the maintainer of the port (https://www.freshports.org/security/tor/) or upstream at the Tor project. Regards, Ronald.