Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 26 Aug 2019 17:14:42 -0700
From:      John Baldwin <jhb@FreeBSD.org>
To:        src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org
Subject:   Re: svn commit: r351522 - in head: sbin/ifconfig share/man/man4 sys/conf sys/kern sys/modules sys/modules/ktls_ocf sys/net sys/netinet sys/netinet/tcp_stacks sys/netinet6 sys/opencrypto sys/sys tools/t...
Message-ID:  <e744fd19-0f4e-ca5f-9b87-d48e1791a7f2@FreeBSD.org>
In-Reply-To: <201908270001.x7R01vUB052426@repo.freebsd.org>
References:  <201908270001.x7R01vUB052426@repo.freebsd.org>

next in thread | previous in thread | raw e-mail | index | archive | help
On 8/26/19 5:01 PM, John Baldwin wrote:
> Author: jhb
> Date: Tue Aug 27 00:01:56 2019
> New Revision: 351522
> URL: https://svnweb.freebsd.org/changeset/base/351522
> 
> Log:
>   Add kernel-side support for in-kernel TLS.

The length of the commit message notwithstanding, there is still quite a bit
more work to do on this front.  Making use of KTLS requires an SSL library
that understands the new functionality, and for the full performance gain
you want an application that makes use of SSL_sendfile.  Netflix has both
of these in the form of patches to OpenSSL and nginx.  I'm currently working
on a patchset suitable for merging into upstream OpenSSL's master (the
Linux KTLS patches are merged into OpenSSL master already, so the FreeBSD
patches are fairly small).

One thing to note is that while the KTLS OCF backend in this commit is
functional, it is not ideal.  One of the SW crypto backends Netflix uses
internally is based on Intel's ISA-L crypto library.  I put together a
port for this based on the public ISA-L crpyto library repository on
GitHub today and hope to have it up for review soon.

-- 
John Baldwin



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?e744fd19-0f4e-ca5f-9b87-d48e1791a7f2>