From owner-freebsd-current@freebsd.org  Sat Jan 23 15:26:09 2021
Return-Path: <owner-freebsd-current@freebsd.org>
Delivered-To: freebsd-current@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id D99CA4F60C7
 for <freebsd-current@mailman.nyi.freebsd.org>;
 Sat, 23 Jan 2021 15:26:09 +0000 (UTC)
 (envelope-from rmacklem@uoguelph.ca)
Received: from CAN01-TO1-obe.outbound.protection.outlook.com
 (mail-to1can01on0619.outbound.protection.outlook.com
 [IPv6:2a01:111:f400:fe5d::619])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client CN "mail.protection.outlook.com",
 Issuer "GlobalSign Organization Validation CA - SHA256 - G3" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 4DNKhx0TLRz4bLN
 for <freebsd-current@freebsd.org>; Sat, 23 Jan 2021 15:26:08 +0000 (UTC)
 (envelope-from rmacklem@uoguelph.ca)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
 b=N6ASvsj+FGRNnzbMkZQ/1oloFZSVvMZ8805xElJivcq3C/YG5fNSVQEz/FAt5VYPg61Y8WOObQWFu54QtnOWGXFRD2dtQ5eRCMu5JfnOyfzTikFwDgctRNaP1q3wCRwqXQpDvpW/pJ1GfIzi6WKg/dyODGcIU0u5jdEFAW7ZXpxGZaEywzCBG3Qzr5zdstuwPBAZmzr7X3JoyFNN2Fdmi7f0ribET3prhSC/nMA7ECobDYc73zif1vGzHxZ7XAuCu5tDkR1Ga8dwDKWYvGdPadp9HsWfwY4GKmRGTMJ6MGwJHpsjmpphwjHs22Gjuxz8r+SWFveNpU7fNRYXmiSDZg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; 
 s=arcselector9901;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
 bh=jN4vl++lwL6p9ySvShpOiHx3r50lyNB0xAGAtFy+Umk=;
 b=iwQJcQHl+p9SDGSq519SEfBYY9FMMqz76RSHTpkxCKaPc2k/GEhfuMzo0tqxfHXudTieawqgxLQjpmujrt5sWaXJwcKl1MF1ezHtX89IuhY32OZ4mQZoyvWUN+7OkrqcRWY9sEOLeQEx1nS1PNqWsOHhICX8j00dQaNh5EDUlwd1symEvQQz05J3GNCMoQbj1MqhELS58INg05TM4LgaorM4mCo/pENSbHQUEFdb/sCHOodvGX6wmM1Eg4Fu1VdH8KnowZGh751FIuu9E5FvOGN9fi35yITxP1+/1ugWxK3rXks1I1htZJSf6/DqGDsvu0s5TtNpO5EgpxKBMqJSgw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass
 smtp.mailfrom=uoguelph.ca; dmarc=pass action=none header.from=uoguelph.ca;
 dkim=pass header.d=uoguelph.ca; arc=none
Received: from YQXPR0101MB0968.CANPRD01.PROD.OUTLOOK.COM
 (2603:10b6:c00:19::29) by QB1PR01MB2913.CANPRD01.PROD.OUTLOOK.COM
 (2603:10b6:c00:3d::16) with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3784.12; Sat, 23 Jan
 2021 15:26:07 +0000
Received: from YQXPR0101MB0968.CANPRD01.PROD.OUTLOOK.COM
 ([fe80::3d86:c7f9:bc4c:40c0]) by YQXPR0101MB0968.CANPRD01.PROD.OUTLOOK.COM
 ([fe80::3d86:c7f9:bc4c:40c0%6]) with mapi id 15.20.3763.014; Sat, 23 Jan 2021
 15:25:59 +0000
From: Rick Macklem <rmacklem@uoguelph.ca>
To: Ronald Klop <ronald-lists@klop.ws>, "freebsd-current@freebsd.org"
 <freebsd-current@freebsd.org>
Subject: Re: Can In-Kernel TLS (kTLS) work with any OpenSSL Application?
Thread-Topic: Can In-Kernel TLS (kTLS) work with any OpenSSL Application?
Thread-Index: AQHW72nXjq3dxqCEc0+vdfHyry1d96o1K3uAgAAlSjU=
Date: Sat, 23 Jan 2021 15:25:59 +0000
Message-ID: <YQXPR0101MB0968D75B9A846C4F91461A7DDDBF0@YQXPR0101MB0968.CANPRD01.PROD.OUTLOOK.COM>
References: <bd56c9d3711738d65a074d73c04addd2@freebsd.org>,
 <op.0xoawf2bkndu52@joepie>
In-Reply-To: <op.0xoawf2bkndu52@joepie>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: b802de30-a522-4e89-dad5-08d8bfb32fe4
x-ms-traffictypediagnostic: QB1PR01MB2913:
x-microsoft-antispam-prvs: <QB1PR01MB29131840B3DA0A109D689782DDBF0@QB1PR01MB2913.CANPRD01.PROD.OUTLOOK.COM>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: YVW9mSLbYTRI3ibWuqtdIhNmH1Hvxtj4mp+rfmHgHG+polubyMtk55BF7qzAgi1JDifAYk2D3oeJA6OVgNOAvBOWg25G4RQu0U6pgI9BYc8Zi41b37/PRKjR7GpitmdJw0nNVBbUTank+jMr/elwwxxlzhd8IArV7qxb8C3izGUQ4RNs6i55uEWTyDWpLAUeOv5XOdF442inj024vEdz6KoatTDNiKQgFIaJjoNNKOpk5X9CseuCYm8ZBP2sbplBJUpxB2zTm2LfhD6m8DrUHKDaxDCmEd0fP9c5CXI+ZlKyo6y7TNCfne0ZxmQkTOWEeExiNqrqVVUgq/L9Us1xcNYtgF/FIVjkX/Nme8wMG/9j4XHqXmunf+S0OrfiFxsBfbajQD2zhmUMQp2Ui54FbgQ3erXCSBp71mQY7CXt9Mx6oh4ClqG+vZx13O6lMhiK1nvGiXhCJrkq90gferqeyeFTIeEhC3n2jqQSdv4NePG1ylw5vrvz0f55lSg+LGW3vtsT9xAoa9Y0NdiHdc99XQ==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:;
 IPV:NLI; SFV:NSPM; H:YQXPR0101MB0968.CANPRD01.PROD.OUTLOOK.COM; PTR:; CAT:NONE;
 SFS:(39860400002)(366004)(376002)(396003)(136003)(346002)(5660300002)(316002)(52536014)(110136005)(66556008)(9686003)(83380400001)(2906002)(71200400001)(786003)(966005)(64756008)(478600001)(66446008)(8676002)(8936002)(66946007)(186003)(55016002)(76116006)(7696005)(91956017)(33656002)(6506007)(66476007)(86362001)(19400905002);
 DIR:OUT; SFP:1101; 
x-ms-exchange-antispam-messagedata: =?iso-8859-1?Q?btq637tGFsil6/LnQs7FGV3zHJ+udSk88GefbszFtttrqs25k3rUvK+/jQ?=
 =?iso-8859-1?Q?laGyGl53PSbvCNBGnHrqHod+01wYehU+9b+aUmpt41zxThite7hLxfQiz/?=
 =?iso-8859-1?Q?yi7/2+ELzIKBonfLrL5jsOODIyfqeJxHADuHOZnQVV/SP+GQ+0BztsfTWe?=
 =?iso-8859-1?Q?TkMtso5MnhNzEWjSxUAeBl+ck6HcrQIvaCYD7ibOkhLerLuZ7sXv6ZHYML?=
 =?iso-8859-1?Q?wKIH8FU5/KzIx5H8Hc4jsYrtQzX+gfLfTMh4YaUXvncoNRlfEg2hPI0eh1?=
 =?iso-8859-1?Q?WpGDcRbJLtBMnSC0cUbwyFPtVQZ0FYjG6NBG84fbQB8y/EWwpiRqyZNrSh?=
 =?iso-8859-1?Q?t46hJmvT6Qmsd2DUSZtVM2zjwJ000eomyUBaA+Y5sdUfyLlti9PRhS/NsS?=
 =?iso-8859-1?Q?KjueetGwRZYhg9YGxyoRhQFwHvIXuLvZUROsFDwqzYgltONoCXH3AvKs59?=
 =?iso-8859-1?Q?YMV3iFrGqcFqSiqAkcTyMAROZsffs4bFHkKlNq8QHTRF/YqdQhqD6E1D1G?=
 =?iso-8859-1?Q?s/lTGJNKkO0RILL7vHKcZMoGObwQDm7RuMDtLFVZmcgxXJDN+mnE1A3DPE?=
 =?iso-8859-1?Q?EZOMJvfQT9d8oUdBDzC7KHMxhlkCRTA7+Q57OE6feepyAMTiIh36uMm6Qn?=
 =?iso-8859-1?Q?e1gophRb9DJVnkvDNH+5QktgJUG0ZqVjd9WPL9mWqR07fvAZlKmlhkZ2i+?=
 =?iso-8859-1?Q?0HmlGGXbUrKWsWuZug1sfOF+O5ecdm8eXPfxuKzhLNhC04A2IlfXSQzHWc?=
 =?iso-8859-1?Q?ADXkezH4zjWg6Nkvt4UiQ9+m4I4bpt16uQQubEhDfs3lib5V1DZcsTEdDv?=
 =?iso-8859-1?Q?mZGxeAKj4W4aVdvFWRfa2bVTvOPptRL2xlWuKqadbPrzb0XI/3wIYmZxBB?=
 =?iso-8859-1?Q?6VHWfrTsUb4L0LsAs8fMHmTfRqz5fbWo3JU+7Tr0twzUr7AZX9FVCb/2qh?=
 =?iso-8859-1?Q?GwXGMVXmxU1ld2htTDPBGNW1xOLkfvZFZjdyRKrlU+CtdV8ByqpoURkZXQ?=
 =?iso-8859-1?Q?dFadJPgKbcbw1cvPDKwD7kVa1PgbiExIC8EHJW11WNhYOrtFvaAFSDr//Q?=
 =?iso-8859-1?Q?h96zMj1AFxXEBvKRzxUgUPLTq43jdM6wgZlQdeCzN7GOWtzt7WjUvRQS01?=
 =?iso-8859-1?Q?P66pnz+4YV2mxHPNspWIo2Iv/k4JQEK+k+YhOMdq9FlC/V6hUv?=
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: uoguelph.ca
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: YQXPR0101MB0968.CANPRD01.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: b802de30-a522-4e89-dad5-08d8bfb32fe4
X-MS-Exchange-CrossTenant-originalarrivaltime: 23 Jan 2021 15:25:59.6133 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: be62a12b-2cad-49a1-a5fa-85f4f3156a7d
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: dUVH+dujni+EtcRCHYQ4jvTjkhvygh9tMvw7KhZdJ6PFpvLTYEiYUW/Oddmg6a8Sx7orjOjrV5H7J2KHAOTPQA==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: QB1PR01MB2913
X-Rspamd-Queue-Id: 4DNKhx0TLRz4bLN
X-Spamd-Bar: -----
X-Spamd-Result: default: False [-5.00 / 15.00]; TO_DN_EQ_ADDR_SOME(0.00)[];
 RBL_DBL_DONT_QUERY_IPS(0.00)[2a01:111:f400:fe5d::619:from];
 R_DKIM_ALLOW(-0.20)[uoguelph.ca:s=selector1];
 FREEFALL_USER(0.00)[rmacklem]; FROM_HAS_DN(0.00)[];
 TO_DN_SOME(0.00)[];
 R_SPF_ALLOW(-0.20)[+ip6:2a01:111:f400::/48];
 NEURAL_HAM_LONG(-1.00)[-1.000]; MIME_GOOD(-0.10)[text/plain];
 NEURAL_HAM_MEDIUM(-1.00)[-1.000];
 SPAMHAUS_ZRD(0.00)[2a01:111:f400:fe5d::619:from:127.0.2.255];
 RCVD_COUNT_THREE(0.00)[3]; TO_MATCH_ENVRCPT_SOME(0.00)[];
 DWL_DNSWL_LOW(-1.00)[uoguelph.ca:dkim];
 DKIM_TRACE(0.00)[uoguelph.ca:+]; RCPT_COUNT_TWO(0.00)[2];
 DMARC_POLICY_ALLOW(-0.50)[uoguelph.ca,none];
 NEURAL_HAM_SHORT(-1.00)[-1.000]; FROM_EQ_ENVFROM(0.00)[];
 MIME_TRACE(0.00)[0:+]; SUBJECT_ENDS_QUESTION(1.00)[];
 ASN(0.00)[asn:8075, ipnet:2a01:111:f000::/36, country:US];
 RCVD_TLS_LAST(0.00)[]; MAILMAN_DEST(0.00)[freebsd-current];
 ARC_ALLOW(-1.00)[microsoft.com:s=arcselector9901:i=1]
X-BeenThere: freebsd-current@freebsd.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: Discussions about the use of FreeBSD-current
 <freebsd-current.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-current>, 
 <mailto:freebsd-current-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-current/>
List-Post: <mailto:freebsd-current@freebsd.org>
List-Help: <mailto:freebsd-current-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-current>, 
 <mailto:freebsd-current-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 23 Jan 2021 15:26:09 -0000

Ronald Klop wrote:=0A=
>On Wed, 20 Jan 2021 21:21:15 +0100, Neel Chauhan <nc@freebsd.org> wrote:=
=0A=
>=0A=
>> Hi freebsd-current@,=0A=
>>=0A=
>> I know that In-Kernel TLS was merged into the FreeBSD HEAD tree a while=
=0A=
>> back.=0A=
>>=0A=
>> With 13.0-RELEASE around the corner, I'm thinking about upgrading my=0A=
>> home server, well if I can accelerate any SSL application.=0A=
>>=0A=
>> I'm asking because I have a home server on a symmetrical Gigabit=0A=
>> connection (Google Fiber/Webpass), and that server runs a Tor relay. If=
=0A=
>> you're interested in how Tor works, the EFF has a writeup:=0A=
>> https://www.eff.org/pages/what-tor-relay=0A=
>>=0A=
>> But the main point for you all is: more-or-less Tor relays deal with=0A=
>> 1000s TLS connections going into and out of the server.=0A=
>>=0A=
>> Would In-Kernel TLS help with an application like Tor (or even load=0A=
>> balancers/TLS termination), or is it more for things like web servers=0A=
>> sending static files via sendfile() (e.g. CDN used by Netflix).=0A=
>>=0A=
>> My server could also work with Intel's QuickAssist (since it has an=0A=
>> Intel Xeon "Scalable" CPU). Would QuickAssist SSL be more helpful here?=
=0A=
There is now qat(4), which KTLS should be able to use, but I do=0A=
not think it has been tested for this. I also have no idea=0A=
if it can be used effectively for userland encryption?=0A=
=0A=
>>=0A=
>> I'm asking since I don't know whether to upgrade my home server to 13.x=
=0A=
>> or leave it at 12.x. Yes, I do know we need a special OpenSSL to use=0A=
>> kTLS.=0A=
>>=0A=
>> -Neel=0A=
=0A=
I cannot answer your main question. All I can tell you is this...=0A=
KTLS works very well for NFS, but that is, at least in part, because the da=
ta=0A=
never needs to move up to userspace. For server side read, the data is read=
=0A=
into anonymous pages by VOP_READ() and then those are handed to the=0A=
socket hanging off of MEXTPG mbufs. The KTLS then creates/encrypts the=0A=
application data records that go on the wire.=0A=
=0A=
Since I assume Tor does SSL_write() or similar in userspace, the question=
=0A=
becomes "is doing the encryption in the kernel instead of userspace going=
=0A=
to perform better?". For something like a Chelsio-T6, I'd guess yes. For=0A=
software encryption, I have no idea?=0A=
=0A=
The KTLS software encryption creates one kernel thread per CPU and then=0A=
sockets that are KTLS enabled are assigned to one of these threads. Does=0A=
this help w.r.t. your load balancing issue? Again, I have no idea.=0A=
=0A=
>According to the history of the openssl port it has support for KTLS.=0A=
>https://www.freshports.org/security/openssl=0A=
>I don't know about the openssl in base.=0A=
I believe both openssl and openssl-devel in ports have the KTLS support=0A=
in them, although you might need to click on "KTLS" during the port=0A=
build to enable it. (I use openssl-devel, which is OpenSSL3, still in alpha=
=0A=
test, but seems to work well.)=0A=
openssl in base does not have KTLS support, as far as I know.=0A=
=0A=
>But I think for Tor to support KTLS it needs to implement some things=0A=
>itself. More information about that could be asked at the maintainer of=0A=
>the port (https://www.freshports.org/security/tor/) or upstream at the Tor=
=0A=
>project.=0A=
To just make it work, I don't think changes are needed beyond linking to=0A=
the correct OpenSSL libraries (assuming it uses OpenSSL, of course).=0A=
(There are new library calls an application can use to check to see if=0A=
KTLS is enabled for the connection, but if it doesn't care, I don't think=
=0A=
those calls are needed?)=0A=
=0A=
You do need to run a kernel with "options KERN_TLS" and set=0A=
kern.ipc.tls.enable=3D1=0A=
kern.ipc.mb_use_ext_pgs=3D1=0A=
=0A=
rick=0A=
=0A=
Regards,=0A=
Ronald.=0A=
_______________________________________________=0A=
freebsd-current@freebsd.org mailing list=0A=
https://lists.freebsd.org/mailman/listinfo/freebsd-current=0A=
To unsubscribe, send any mail to "freebsd-current-unsubscribe@freebsd.org"=
=0A=
=0A=