Date: Sun, 14 Mar 2021 20:55:18 +0000 From: Rick Macklem <rmacklem@uoguelph.ca> To: Alan Somers <asomers@freebsd.org>, FreeBSD CURRENT <freebsd-current@freebsd.org> Subject: Re: Getting started with ktls Message-ID: <YQXPR0101MB0968DA8912890879ECB7C35BDD6D9@YQXPR0101MB0968.CANPRD01.PROD.OUTLOOK.COM> In-Reply-To: <CAOtMX2gNMw2%2BYcKT9cY35SqASmnvMMH9GDK66VjQvhA85Rj_kQ@mail.gmail.com> References: <CAOtMX2ggNtsEQz7TinyHciqsgzUSjcdvMDb1oORKHtMBnzTELw@mail.gmail.com> <20210311003136.GM56617@kduck.mit.edu> <CAOtMX2iKtBAQWRzY1K9twAFrtdH=S559J6Zd%2Bm5D-YHHPVYf7g@mail.gmail.com> <20210311031501.GP56617@kduck.mit.edu> <CAOtMX2hApCJuTe8OqEJmjrj9vffLB%2BM%2Bc5qR=iPrhRnbeZf=jQ@mail.gmail.com> <YQXPR0101MB096899D3D2241D0D6D830227DD909@YQXPR0101MB0968.CANPRD01.PROD.OUTLOOK.COM> <YE4kM3euujJw9saZ@ceres.zyxst.net>, <CAOtMX2gNMw2%2BYcKT9cY35SqASmnvMMH9GDK66VjQvhA85Rj_kQ@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
[stuff snipped]=0A= > J. wrote:=0A= >>=0A= >> I'd like to have it (ktls) available on the ARM64=0A= >> stable/13-n244876-0b45290603b. Is it just a matter of adding the option,= =0A= >> and then the sysctls become available? Is it "better" with openssl[-deve= l]=0A= >> in ports or openssl in base?=0A= >>=0A= >> thanks,=0A= >> --=0A= >> J.\=0A= Alan explains how to set it up, below.=0A= However, I thought I'd note that maybe one person has tested KTLS=0A= on arm64, so you should consider doing this for test purposes only.=0A= If you do do some testing, please post with your results,=0A= success or failure.=0A= =0A= >It's present in current kernels for both 13 and 14, amd64 and aarch64.=0A= >However, it's not present in 13's openssl. To use it, you must either=0A= >rebuild world with WITH_OPENSSL_KTLS=3DYES in /etc/src.conf,=0A= Doing it this way means that everything linked to OpenSSL will use=0A= it. Probably a better testsituation, but expect at least the apache=0A= server to break. (Most breakage was fixed by a recent patch to the=0A= serf library, but I think the apache server is still broken.=0A= =0A= >(or) install=0A= >security/openssl-devel from pkg, or built security/openssl from ports with= =0A= >the KTLS option enabled. I don't know if any version of openssl is=0A= >"better" than another. The sysctls should be available in any case.=0A= Only applications built using includes from /usr/local/include and=0A= linked to libraries in /usr/local/lib will use it for these cases.=0A= =0A= If you want to try NFS-over-TLS, see this:=0A= https://people.freebsd.org/~rmacklem/nfs-over-tls-setup.txt=0A= =0A= Please let us know if you try it, rick=0A= =0A= -Alan=0A= _______________________________________________=0A= freebsd-current@freebsd.org mailing list=0A= https://lists.freebsd.org/mailman/listinfo/freebsd-current=0A= To unsubscribe, send any mail to "freebsd-current-unsubscribe@freebsd.org"= =0A= =0A=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?YQXPR0101MB0968DA8912890879ECB7C35BDD6D9>