Re: How to use ktls with openssl in base

On Fri, Sep 12, 2025 at 1:08 PM Pete French <pete@twisted.org.uk> wrote:
>
> Am running 14.3-STABLE form a few weeks ago, and I would rather like
> to get KTLS working with the openssl in base. I have got it working
> with GnuTLS form post easily enough (enable in the global config file
> and it just works). But am having problems in base.
Is kern.ipc.tls.enable set non-zero on the system?
(You might also need kern.ipc.tls.cbc_enable=1 too?)

For the NFS-over-TLS, once that is done, it works.
(But I have not tested 14.3.)

The call BIO_get_ktls_send() tests to see if it enabled, but shouldn't
need to be done to enable it.

rick

>
> My understanding is that the openssl in base is compiled with ktls
> support. For reading around, it seems I do need to enable it by
> adding KTLS to the 'Options' directive in things like Apache,
> but this doesn't seem to work.
>
> I also tried adding it to /etc/ssl/openssl.cnf
>
> I am checking to see if its working by making a connection and
> then checking the value of kern.ipc.tls.stats.offload_total to
> see if it increases. It does with GnuTLS, but it does not when I
> use openssl s_client
>
> I believe its actually parsing my options, because if I make a
> deliberate typo it rejects them.
>
> This is what I did in openssl.cnf
>
>         [openssl_init]
>         providers = provider_sect
>
>         # Add KTLS to the options
>         ssl_conf = local_ssl_conf
>
>         [local_ssl_conf]
>         ktls = local_ktls_conf
>
>         [local_ktls_conf]
>         Options = KTLS
>
> and this is what I did in Apache
>
>         SSLOpenSSLConfCmd Options SessionTicket,ServerPreference,KTLS
>
>
> but so far, the offload_total remains stubbornly static.
> anyone got any hints?
>
> thanks!
>
> -pete.
>
>
>