Re: How to use ktls with openssl in base

Am 2025-09-12 22:08, schrieb Pete French:
> Am running 14.3-STABLE form a few weeks ago, and I would rather like
> to get KTLS working with the openssl in base. I have got it working
> with GnuTLS form post easily enough (enable in the global config file
> and it just works). But am having problems in base.
> 
> My understanding is that the openssl in base is compiled with ktls
> support. For reading around, it seems I do need to enable it by
> adding KTLS to the 'Options' directive in things like Apache,
> but this doesn't seem to work.
> 
> I also tried adding it to /etc/ssl/openssl.cnf
> 
> I am checking to see if its working by making a connection and
> then checking the value of kern.ipc.tls.stats.offload_total to
> see if it increases. It does with GnuTLS, but it does not when I
> use openssl s_client
> 
> I believe its actually parsing my options, because if I make a
> deliberate typo it rejects them.
> 
> This is what I did in openssl.cnf
> 
> 	[openssl_init]
> 	providers = provider_sect
> 
> 	# Add KTLS to the options
> 	ssl_conf = local_ssl_conf
> 
> 	[local_ssl_conf]
> 	ktls = local_ktls_conf
> 
> 	[local_ktls_conf]
> 	Options = KTLS
> 
> and this is what I did in Apache
> 
> 	SSLOpenSSLConfCmd Options SessionTicket,ServerPreference,KTLS
> 
> 
> but so far, the offload_total remains stubbornly static.
> anyone got any hints?

For nginx it is "ssl_conf_command Options KTLS;", nothing in openssl.cnf 
needed then. No special build options for src, only 
kern.ipc.tls.enable=1 in sysctl.conf.

Bye,
Alexander.

-- 
http://www.Leidinger.net Alexander@Leidinger.net: PGP 0x8F31830F9F2772BF
http://www.FreeBSD.org    netchild@FreeBSD.org  : PGP 0x8F31830F9F2772BF