How to use ktls with openssl in base

Reply: Rick Macklem : "Re: How to use ktls with openssl in base"
Reply: Pete Wright : "Re: How to use ktls with openssl in base"
Reply: Alexander Leidinger : "Re: How to use ktls with openssl in base"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: Pete French <pete_at_twisted.org.uk>
Date: Fri, 12 Sep 2025 20:08:01 UTC

Am running 14.3-STABLE form a few weeks ago, and I would rather like
to get KTLS working with the openssl in base. I have got it working
with GnuTLS form post easily enough (enable in the global config file
and it just works). But am having problems in base.

My understanding is that the openssl in base is compiled with ktls
support. For reading around, it seems I do need to enable it by
adding KTLS to the 'Options' directive in things like Apache,
but this doesn't seem to work.

I also tried adding it to /etc/ssl/openssl.cnf

I am checking to see if its working by making a connection and
then checking the value of kern.ipc.tls.stats.offload_total to
see if it increases. It does with GnuTLS, but it does not when I
use openssl s_client

I believe its actually parsing my options, because if I make a
deliberate typo it rejects them.

This is what I did in openssl.cnf

	[openssl_init]
	providers = provider_sect

	# Add KTLS to the options
	ssl_conf = local_ssl_conf

	[local_ssl_conf]
	ktls = local_ktls_conf

	[local_ktls_conf]
	Options = KTLS

and this is what I did in Apache

	SSLOpenSSLConfCmd Options SessionTicket,ServerPreference,KTLS


but so far, the offload_total remains stubbornly static.
anyone got any hints?

thanks!

-pete.