Re: How to use ktls with openssl in base

(Sorry,)

Alexander Leidinger wrote in
 <6c75d301df5e5743821a23e4e19c5efc@Leidinger.net>:
 |Am 2025-09-12 22:08, schrieb Pete French:
 ...
 |> I also tried adding it to /etc/ssl/openssl.cnf
 ...
 |> I believe its actually parsing my options, because if I make a
 |> deliberate typo it rejects them.
 |> 
 |> This is what I did in openssl.cnf
 |> 
 |>  [openssl_init]
 |>  providers = provider_sect
 |> 
 |>  # Add KTLS to the options
 |>  ssl_conf = local_ssl_conf
 |> 
 |>  [local_ssl_conf]
 |>  ktls = local_ktls_conf
 |> 
 |>  [local_ktls_conf]
 |>  Options = KTLS
 |> 
 |> and this is what I did in Apache
 |> 
 |>  SSLOpenSSLConfCmd Options SessionTicket,ServerPreference,KTLS
 ...
 |For nginx it is "ssl_conf_command Options KTLS;", nothing in openssl.cnf 
 |needed then. No special build options for src, only 

but i *think* the *idea* was that an administrator becomes capable
to manage the security properties of "anything" in a single place.
So "not needded" is imho false wording, because you need to modify
a server configuration file with its own syntax, somewhere in the
filesystem.
(As it *could* be i am in parts hm responsible for Dr. Stephen
Henson implementing this in OpenSSL as one of the last big
from-scratch things he has done, before TLSv1.3 (and before
completely disappearing from any radar i know, which i find a
real loss), i wanted to remark that; unfortunately not many
servers followed this (yet), let alone normal programs.  Likely
also because not all SSL libraries implemented it.  I still
believe it is a great thing, just as is SSL_CONF_cmd(), since user
strings can simply be passed through, and dynamic libraries sail
the edge, and then users and admins can just go.)

--steffen
|
|Der Kragenbaer,                The moon bear,
|der holt sich munter           he cheerfully and one by one
|einen nach dem anderen runter  wa.ks himself off
|(By Robert Gernhardt)