Date: Sun, 14 Mar 2021 09:54:33 -0600 From: Alan Somers <asomers@freebsd.org> To: FreeBSD CURRENT <freebsd-current@freebsd.org> Subject: Re: Getting started with ktls Message-ID: <CAOtMX2gNMw2%2BYcKT9cY35SqASmnvMMH9GDK66VjQvhA85Rj_kQ@mail.gmail.com> In-Reply-To: <YE4kM3euujJw9saZ@ceres.zyxst.net> References: <CAOtMX2ggNtsEQz7TinyHciqsgzUSjcdvMDb1oORKHtMBnzTELw@mail.gmail.com> <20210311003136.GM56617@kduck.mit.edu> <CAOtMX2iKtBAQWRzY1K9twAFrtdH=S559J6Zd%2Bm5D-YHHPVYf7g@mail.gmail.com> <20210311031501.GP56617@kduck.mit.edu> <CAOtMX2hApCJuTe8OqEJmjrj9vffLB%2BM%2Bc5qR=iPrhRnbeZf=jQ@mail.gmail.com> <YQXPR0101MB096899D3D2241D0D6D830227DD909@YQXPR0101MB0968.CANPRD01.PROD.OUTLOOK.COM> <YE4kM3euujJw9saZ@ceres.zyxst.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, Mar 14, 2021 at 8:57 AM tech-lists <tech-lists@zyxst.net> wrote: > On Thu, Mar 11, 2021 at 03:42:55PM +0000, Rick Macklem wrote: > >I'm going to cheat and top post (the discussion looks > >pretty convoluted). > > > >- The kernel must be built with "options KERN_TLS" > >- OpenSSL must be built with KTLS enabled > >- These two sysctls need to be set to 1 > > kern.ipc.tls.enable > > kern.ipc.mb_use_ext_pgs > > Hello, > > I'd like to try ktls but have found the following: > > On AMD64 (stable/13) this option is present in the GENERIC kernel > of world built about a month ago: stable/13-n244496-618dee60231 > and openssl version is 1.1.1i-freebsd > > On ARM64 (stable/13) it's *not* present in a world built earlier > today from stable/13-n244876-0b45290603b. Here, the openssl version > is 1.1.1j-freebsd > > On another ARM64 (main/14) it *is* present in main-n245445-07564e17620 > built with sources from the 11th March. openssl is 1.1.1j-freebsd here > as well. > > I'd like to have it (ktls) available on the ARM64 > stable/13-n244876-0b45290603b. Is it just a matter of adding the option, > and then the sysctls become available? Is it "better" with openssl[-devel] > in ports or openssl in base? > > thanks, > -- > J.\ It's present in current kernels for both 13 and 14, amd64 and aarch64. However, it's not present in 13's openssl. To use it, you must either rebuild world with WITH_OPENSSL_KTLS=YES in /etc/src.conf, install security/openssl-devel from pkg, or built security/openssl from ports with the KTLS option enabled. I don't know if any version of openssl is "better" than another. The sysctls should be available in any case. -Alan
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAOtMX2gNMw2%2BYcKT9cY35SqASmnvMMH9GDK66VjQvhA85Rj_kQ>