Re: How to use ktls with openssl in base

W dniu 13.09.2025 o 11:46, Alexander Leidinger pisze:
> Am 2025-09-12 22:08, schrieb Pete French:
>> Am running 14.3-STABLE form a few weeks ago, and I would rather like
>> to get KTLS working with the openssl in base. I have got it working
>> with GnuTLS form post easily enough (enable in the global config file
>> and it just works). But am having problems in base.
>>
>> My understanding is that the openssl in base is compiled with ktls
>> support. For reading around, it seems I do need to enable it by
>> adding KTLS to the 'Options' directive in things like Apache,
>> but this doesn't seem to work.
>>
>> I also tried adding it to /etc/ssl/openssl.cnf
>>
>> I am checking to see if its working by making a connection and
>> then checking the value of kern.ipc.tls.stats.offload_total to
>> see if it increases. It does with GnuTLS, but it does not when I
>> use openssl s_client
>>
>> I believe its actually parsing my options, because if I make a
>> deliberate typo it rejects them.
>>
>> This is what I did in openssl.cnf
>>
>>     [openssl_init]
>>     providers = provider_sect
>>
>>     # Add KTLS to the options
>>     ssl_conf = local_ssl_conf
>>
>>     [local_ssl_conf]
>>     ktls = local_ktls_conf fds
>>
>>     [local_ktls_conf]
>>     Options = KTLS
>>
>> and this is what I did in Apache
>>
>>     SSLOpenSSLConfCmd Options SessionTicket,ServerPreference,KTLS
>>
>>
>> but so far, the offload_total remains stubbornly static.
>> anyone got any hints?
>
> For nginx it is "ssl_conf_command Options KTLS;", nothing in 
> openssl.cnf needed then. No special build options for src, only 
> kern.ipc.tls.enable=1 in sysctl.conf.
>
> Bye,
> Alexander.
>
Please don’t expect Apache 2.4 to benefit from KTLS[1]. Nginx is proven 
to work since a few years. If you want to check whether KTLS is active 
(for Nginx or another application), watch the 
kern.ipc.tls.stats.ocf statistics.

1. https://reviews.freebsd.org/D28932

-- 
Marek Zarychta