Should we enable KERN_TLS on amd64 for FreeBSD 13?

Sat Jan 9 18:29:12 UTC 2021

On 09/01/2021 15:08, Rick Macklem wrote:
>   John Baldwin wrote:
>> John-Mark Gurney wrote:
>>> Andrew Gallatin wrote:
>>>>
>>>> There are essentially 3 options
>>>>
>>>> 1) Fully enable KTLS by adding 'options KERN_TLS' to GENERIC, and
>>>> flipping kern.ipc.tls.enable=1
>>>>
>>>> The advantage of this is that it "just works" out of the box for users,
>>>> and for reviewers.
>>>>
>>>> The drawback is that new code is thrust on unsuspecting users,
>>>> potentially exposing them to bugs that we have not found in our
>>>> somewhat limited web serving workload.
>>>
>>> This is my vote.
>>>
>>> I assume that the in tree and ports tree OpenSSL libraries will make
>>> use of it when present?  Does this mean fetch and the like will also
>>> use it when talking w/ https website?  (that's a nice benefit).
>>
>> In tree OpenSSL does not support KTLS.  OpenSSL considers KTLS support
>> too large of a feature to officially backport to the 1.1.1 branch, so
>> if we add it in base, it will mean keeping it as a local diff.
>>
>> OTOH, I do maintain a backport of KTLS to 1.1.1 and there is a KTLS
>> option for the security/openssl port (not on by default, it perhaps
>> should be on 13?) which includes KTLS support.  security/openssl-devel
>> (which tracks OpenSSL 3) also has a KTLS option that probably should
>> be enabled by default on 13 as it only consists of enabling the
>> option without requiring patches to the port.
> As of r557013, the KTLS option is enabled by default in openssl-devel.
> 
>> I can raise the issue again with secteam about importing KTLS into the
>> base OpenSSL.  I think the main issue is the risk of getting a merge
>> conflict when merging in an SA, though from my experience maintaining
>> the KTLS patchset against 1.1.1 for the past year or so, I expect that
>> risk to be fairly low.
>>
>> Personally, it would make my life a bit happier as a developer using
>> KTLS for it to at least be in GENERIC by default, but that's a pretty
>> narrow use case. :)
> 
> I don't know what the relationship between ports and packages is,
> but if there is soon a package for openssl-devel (with KTLS enabled
> like it is in ports), then no build from sources would be needed for
> openssl.

If package is built with dependency on base OpenSSL then it will not use 
libraries installed by openssl-devel.
If packgage is built with dependency on ports OpenSSL (security/openssl) 
then it pulls openssl package and openssl-devel will be deinstalled as 
it conflicts with other SSL implementations. They cannot coexist.

> --> It is unfortunate that Openssl3 (openssl-devel) is still in alpha test.
> 
> If there is a package for an openssl with KTLS support, then having KERN_TLS
> in GENERIC  might be nice, since no source builds would be needed.
> (I have no preference w.r.t "enabled by default", since the
> sysctl can easily be set via sysctl.conf.)
> 
> Although nfs-over-tls is not yet implemented for non-FreeBSD
> systems, I would like to see it become easy to enable during the
> FreeBSD release cycle and having KERN_TLS in GENERIC would
> be a step in that direction.
> 
> Oh, and I'm not saying it is worth changing, but having Openssl
> use KTLS and the kernel use KERN_TLS slightly obscures the fact
> that they refer to related code.