From owner-freebsd-arch@freebsd.org Sat Jan 9 18:29:12 2021 Return-Path: Delivered-To: freebsd-arch@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 200084DF134 for ; Sat, 9 Jan 2021 18:29:12 +0000 (UTC) (envelope-from SRS0=8det=GM=quip.cz=000.fbsd@elsa.codelab.cz) Received: from elsa.codelab.cz (elsa.codelab.cz [94.124.105.4]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4DCpQb644Tz3qf8; Sat, 9 Jan 2021 18:29:11 +0000 (UTC) (envelope-from SRS0=8det=GM=quip.cz=000.fbsd@elsa.codelab.cz) Received: from elsa.codelab.cz (localhost [127.0.0.1]) by elsa.codelab.cz (Postfix) with ESMTP id 1D5CC28416; Sat, 9 Jan 2021 19:29:10 +0100 (CET) Received: from illbsd.quip.test (ip-94-113-69-69.net.upcbroadband.cz [94.113.69.69]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by elsa.codelab.cz (Postfix) with ESMTPSA id 9BD8D28411; Sat, 9 Jan 2021 19:29:08 +0100 (CET) Subject: Re: Should we enable KERN_TLS on amd64 for FreeBSD 13? To: Rick Macklem , Andrew Gallatin , "freebsd-arch@FreeBSD.org" , Allan Jude References: <8eff83e5-49bc-d410-626e-603c03877b80@cs.duke.edu> <20210108214446.GJ31099@funkthat.com> <4fe4a57c-8c43-a677-4872-d0671104c414@FreeBSD.org> From: Miroslav Lachman <000.fbsd@quip.cz> Message-ID: <121d9135-e2a1-11ac-2538-f9fbb7505d89@quip.cz> Date: Sat, 9 Jan 2021 19:29:08 +0100 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:68.0) Gecko/20100101 Thunderbird/68.10.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit X-Rspamd-Queue-Id: 4DCpQb644Tz3qf8 X-Spamd-Bar: ---- Authentication-Results: mx1.freebsd.org; none X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[] X-BeenThere: freebsd-arch@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: Discussion related to FreeBSD architecture List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 09 Jan 2021 18:29:12 -0000 On 09/01/2021 15:08, Rick Macklem wrote: > John Baldwin wrote: >> John-Mark Gurney wrote: >>> Andrew Gallatin wrote: >>>> >>>> There are essentially 3 options >>>> >>>> 1) Fully enable KTLS by adding 'options KERN_TLS' to GENERIC, and >>>> flipping kern.ipc.tls.enable=1 >>>> >>>> The advantage of this is that it "just works" out of the box for users, >>>> and for reviewers. >>>> >>>> The drawback is that new code is thrust on unsuspecting users, >>>> potentially exposing them to bugs that we have not found in our >>>> somewhat limited web serving workload. >>> >>> This is my vote. >>> >>> I assume that the in tree and ports tree OpenSSL libraries will make >>> use of it when present? Does this mean fetch and the like will also >>> use it when talking w/ https website? (that's a nice benefit). >> >> In tree OpenSSL does not support KTLS. OpenSSL considers KTLS support >> too large of a feature to officially backport to the 1.1.1 branch, so >> if we add it in base, it will mean keeping it as a local diff. >> >> OTOH, I do maintain a backport of KTLS to 1.1.1 and there is a KTLS >> option for the security/openssl port (not on by default, it perhaps >> should be on 13?) which includes KTLS support. security/openssl-devel >> (which tracks OpenSSL 3) also has a KTLS option that probably should >> be enabled by default on 13 as it only consists of enabling the >> option without requiring patches to the port. > As of r557013, the KTLS option is enabled by default in openssl-devel. > >> I can raise the issue again with secteam about importing KTLS into the >> base OpenSSL. I think the main issue is the risk of getting a merge >> conflict when merging in an SA, though from my experience maintaining >> the KTLS patchset against 1.1.1 for the past year or so, I expect that >> risk to be fairly low. >> >> Personally, it would make my life a bit happier as a developer using >> KTLS for it to at least be in GENERIC by default, but that's a pretty >> narrow use case. :) > > I don't know what the relationship between ports and packages is, > but if there is soon a package for openssl-devel (with KTLS enabled > like it is in ports), then no build from sources would be needed for > openssl. If package is built with dependency on base OpenSSL then it will not use libraries installed by openssl-devel. If packgage is built with dependency on ports OpenSSL (security/openssl) then it pulls openssl package and openssl-devel will be deinstalled as it conflicts with other SSL implementations. They cannot coexist. > --> It is unfortunate that Openssl3 (openssl-devel) is still in alpha test. > > If there is a package for an openssl with KTLS support, then having KERN_TLS > in GENERIC might be nice, since no source builds would be needed. > (I have no preference w.r.t "enabled by default", since the > sysctl can easily be set via sysctl.conf.) > > Although nfs-over-tls is not yet implemented for non-FreeBSD > systems, I would like to see it become easy to enable during the > FreeBSD release cycle and having KERN_TLS in GENERIC would > be a step in that direction. > > Oh, and I'm not saying it is worth changing, but having Openssl > use KTLS and the kernel use KERN_TLS slightly obscures the fact > that they refer to related code.