git: df8406ca0f05 - stable/13 - nfs tls: Update for SSL_OP_ENABLE_KTLS.

John Baldwin jhb at FreeBSD.org
Tue Aug 24 01:01:45 UTC 2021 

The branch stable/13 has been updated by jhb:

URL: https://cgit.FreeBSD.org/src/commit/?id=df8406ca0f053649dbd6a808486141a11bb4c3a8

commit df8406ca0f053649dbd6a808486141a11bb4c3a8
Author:     John Baldwin <jhb at FreeBSD.org>
AuthorDate: 2021-08-10 21:18:43 +0000
Commit:     John Baldwin <jhb at FreeBSD.org>
CommitDate: 2021-08-24 00:59:34 +0000

    nfs tls: Update for SSL_OP_ENABLE_KTLS.
    
    Upstream OpenSSL (and the KTLS backport) have switched to an opt-in
    option (SSL_OP_ENABLE_KTLS) in place of opt-out modes
    (SSL_MODE_NO_KTLS_TX and SSL_MODE_NO_KTLS_RX) for controlling kernel
    TLS.
    
    Reviewed by:    rmacklem
    Sponsored by:   Netflix
    Differential Revision:  https://reviews.freebsd.org/D31445
    
    (cherry picked from commit c7bb0f47f721a2095ed6100bca595ba68fa5645a)
---
 usr.sbin/rpc.tlsclntd/rpc.tlsclntd.c | 5 +++++
 usr.sbin/rpc.tlsservd/rpc.tlsservd.c | 5 +++++
 2 files changed, 10 insertions(+)

diff --git a/usr.sbin/rpc.tlsclntd/rpc.tlsclntd.c b/usr.sbin/rpc.tlsclntd/rpc.tlsclntd.c
index af803f203ffd..5e66f4b4b2dd 100644
--- a/usr.sbin/rpc.tlsclntd/rpc.tlsclntd.c
+++ b/usr.sbin/rpc.tlsclntd/rpc.tlsclntd.c
@@ -573,9 +573,14 @@ rpctls_setupcl_ssl(void)
 	    SSL_OP_NO_TLSv1_1 | SSL_OP_NO_TLSv1_2;
 #else
 	flags = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1_3;
+#endif
+#ifdef SSL_OP_ENABLE_KTLS
+	flags |= SSL_OP_ENABLE_KTLS;
 #endif
 	SSL_CTX_set_options(ctx, flags);
+#ifdef SSL_MODE_NO_KTLS_TX
 	SSL_CTX_clear_mode(ctx, SSL_MODE_NO_KTLS_TX | SSL_MODE_NO_KTLS_RX);
+#endif
 	return (ctx);
 }
 
diff --git a/usr.sbin/rpc.tlsservd/rpc.tlsservd.c b/usr.sbin/rpc.tlsservd/rpc.tlsservd.c
index 1c7687cad87a..71787b162acd 100644
--- a/usr.sbin/rpc.tlsservd/rpc.tlsservd.c
+++ b/usr.sbin/rpc.tlsservd/rpc.tlsservd.c
@@ -636,7 +636,12 @@ rpctls_setup_ssl(const char *certdir)
 		SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER,
 		    rpctls_verify_callback);
 	}
+#ifdef SSL_OP_ENABLE_KTLS
+	SSL_CTX_set_options(ctx, SSL_OP_ENABLE_KTLS);
+#endif
+#ifdef SSL_MODE_NO_KTLS_TX
 	SSL_CTX_clear_mode(ctx, SSL_MODE_NO_KTLS_TX | SSL_MODE_NO_KTLS_RX);
+#endif
 	return (ctx);
 }

More information about the dev-commits-src-branches mailing list