Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 08 Jun 2026 18:58:47 +0000
From:      bugzilla-noreply@freebsd.org
To:        bugs@FreeBSD.org
Subject:   [Bug 295942] SSL_OP_ENABLE_KTLS_TX_ZEROCOPY_SENDFILE data corruption on files > 128KB
Message-ID:  <bug-295942-227@https.bugs.freebsd.org/bugzilla/>
index | next in thread | raw e-mail 

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=295942

            Bug ID: 295942
           Summary: SSL_OP_ENABLE_KTLS_TX_ZEROCOPY_SENDFILE data
                    corruption on files > 128KB
           Product: Base System
           Version: 15.0-RELEASE
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Some People
          Priority: ---
         Component: kern
          Assignee: bugs@FreeBSD.org
          Reporter: dinoex@FreeBSD.org

Setup:
lighttpd 1.4.82 running on FreeBSD-15.0
with OpenSSL 3.5.4 from base or with OpenSSL 3.5.6 from ports
Network driver: igb0

Serving static files with plain http and https using mod_openssl


Problem:
I got reports that a source packages fetched from my server where corrupted.

I was able to reproduce this on multiple servers.
Even with the default lighttpd config and adding:
ssl.engine = "enable".


Steps to reproduce:
The file must be > 128 kbyte to become corrupted.
Fetching the files and running sha256sum an the result showed:

6ef4e286...  20260601.tgz.curl.http
6ef4e286...  20260601.tgz.curl.https
6ef4e286...  20260601.tgz.fetch.http
a717baa2...  20260601.tgz.fetch.https
6ef4e286...  20260601.tgz.wget.http
347d964a...  20260601.tgz.wget.https

6ef4e286... is the correct checksum 

The error log reports:
lighttpd-1.4.82/src/mod_openssl.c.4808) SSL: addr:2***:****::*** ssl_err:5
ret:-1 errno:35: Resource temporarily unavailable

I was unable to reproduce the problem
on servers running FreeBSD-14.4.

14.4-RELEASE-p5 ssl=openssl35   mod_openssl     OK
14.4-RELEASE-p5 ssl=openssl35   mod_openssl     OK
15.0-RELEASE-p9 ssl=openssl35   mod_openssl     broken
15.0-RELEASE-p9 ssl=base        mod_openssl     broken
15.0-RELEASE-p9 ssl=openssl35   mod_wolfssl     OK


sysctl kern.ipc.tls.stats | grep -v ': 0'
FreeBSD-14:  all values zero
FreeBSD-15:
kern.ipc.tls.stats.ocf.separate_output: 2114
kern.ipc.tls.stats.ocf.inplace: 12982513
kern.ipc.tls.stats.ocf.tls13_chacha20_encrypts: 232
kern.ipc.tls.stats.ocf.tls13_chacha20_decrypts: 191
kern.ipc.tls.stats.ocf.tls13_gcm_encrypts: 12984395
kern.ipc.tls.stats.ocf.tls13_gcm_decrypts: 6557803
kern.ipc.tls.stats.enable_calls: 3204921
kern.ipc.tls.stats.offload_total: 3204921
kern.ipc.tls.stats.threads: 4


Workaround: Disable KTLS in lighttpd.conf:
ssl.openssl.ssl-conf-cmd += ("Options" => "-KTLS")

-- 
You are receiving this mail because:
You are the assignee for the bug.
home | help

Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-295942-227>