Date: Sat, 23 Jan 2021 15:25:59 +0000 From: Rick Macklem <rmacklem@uoguelph.ca> To: Ronald Klop <ronald-lists@klop.ws>, "freebsd-current@freebsd.org" <freebsd-current@freebsd.org> Subject: Re: Can In-Kernel TLS (kTLS) work with any OpenSSL Application? Message-ID: <YQXPR0101MB0968D75B9A846C4F91461A7DDDBF0@YQXPR0101MB0968.CANPRD01.PROD.OUTLOOK.COM> In-Reply-To: <op.0xoawf2bkndu52@joepie> References: <bd56c9d3711738d65a074d73c04addd2@freebsd.org>, <op.0xoawf2bkndu52@joepie>
next in thread | previous in thread | raw e-mail | index | archive | help
Ronald Klop wrote:=0A= >On Wed, 20 Jan 2021 21:21:15 +0100, Neel Chauhan <nc@freebsd.org> wrote:= =0A= >=0A= >> Hi freebsd-current@,=0A= >>=0A= >> I know that In-Kernel TLS was merged into the FreeBSD HEAD tree a while= =0A= >> back.=0A= >>=0A= >> With 13.0-RELEASE around the corner, I'm thinking about upgrading my=0A= >> home server, well if I can accelerate any SSL application.=0A= >>=0A= >> I'm asking because I have a home server on a symmetrical Gigabit=0A= >> connection (Google Fiber/Webpass), and that server runs a Tor relay. If= =0A= >> you're interested in how Tor works, the EFF has a writeup:=0A= >> https://www.eff.org/pages/what-tor-relay=0A= >>=0A= >> But the main point for you all is: more-or-less Tor relays deal with=0A= >> 1000s TLS connections going into and out of the server.=0A= >>=0A= >> Would In-Kernel TLS help with an application like Tor (or even load=0A= >> balancers/TLS termination), or is it more for things like web servers=0A= >> sending static files via sendfile() (e.g. CDN used by Netflix).=0A= >>=0A= >> My server could also work with Intel's QuickAssist (since it has an=0A= >> Intel Xeon "Scalable" CPU). Would QuickAssist SSL be more helpful here?= =0A= There is now qat(4), which KTLS should be able to use, but I do=0A= not think it has been tested for this. I also have no idea=0A= if it can be used effectively for userland encryption?=0A= =0A= >>=0A= >> I'm asking since I don't know whether to upgrade my home server to 13.x= =0A= >> or leave it at 12.x. Yes, I do know we need a special OpenSSL to use=0A= >> kTLS.=0A= >>=0A= >> -Neel=0A= =0A= I cannot answer your main question. All I can tell you is this...=0A= KTLS works very well for NFS, but that is, at least in part, because the da= ta=0A= never needs to move up to userspace. For server side read, the data is read= =0A= into anonymous pages by VOP_READ() and then those are handed to the=0A= socket hanging off of MEXTPG mbufs. The KTLS then creates/encrypts the=0A= application data records that go on the wire.=0A= =0A= Since I assume Tor does SSL_write() or similar in userspace, the question= =0A= becomes "is doing the encryption in the kernel instead of userspace going= =0A= to perform better?". For something like a Chelsio-T6, I'd guess yes. For=0A= software encryption, I have no idea?=0A= =0A= The KTLS software encryption creates one kernel thread per CPU and then=0A= sockets that are KTLS enabled are assigned to one of these threads. Does=0A= this help w.r.t. your load balancing issue? Again, I have no idea.=0A= =0A= >According to the history of the openssl port it has support for KTLS.=0A= >https://www.freshports.org/security/openssl=0A= >I don't know about the openssl in base.=0A= I believe both openssl and openssl-devel in ports have the KTLS support=0A= in them, although you might need to click on "KTLS" during the port=0A= build to enable it. (I use openssl-devel, which is OpenSSL3, still in alpha= =0A= test, but seems to work well.)=0A= openssl in base does not have KTLS support, as far as I know.=0A= =0A= >But I think for Tor to support KTLS it needs to implement some things=0A= >itself. More information about that could be asked at the maintainer of=0A= >the port (https://www.freshports.org/security/tor/) or upstream at the Tor= =0A= >project.=0A= To just make it work, I don't think changes are needed beyond linking to=0A= the correct OpenSSL libraries (assuming it uses OpenSSL, of course).=0A= (There are new library calls an application can use to check to see if=0A= KTLS is enabled for the connection, but if it doesn't care, I don't think= =0A= those calls are needed?)=0A= =0A= You do need to run a kernel with "options KERN_TLS" and set=0A= kern.ipc.tls.enable=3D1=0A= kern.ipc.mb_use_ext_pgs=3D1=0A= =0A= rick=0A= =0A= Regards,=0A= Ronald.=0A= _______________________________________________=0A= freebsd-current@freebsd.org mailing list=0A= https://lists.freebsd.org/mailman/listinfo/freebsd-current=0A= To unsubscribe, send any mail to "freebsd-current-unsubscribe@freebsd.org"= =0A= =0A=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?YQXPR0101MB0968D75B9A846C4F91461A7DDDBF0>