Can In-Kernel TLS (kTLS) work with any OpenSSL Application?
Benjamin Kaduk
kaduk at mit.edu
Mon Jan 25 05:47:06 UTC 2021
On Sat, Jan 23, 2021 at 03:25:59PM +0000, Rick Macklem wrote:
> Ronald Klop wrote:
> >On Wed, 20 Jan 2021 21:21:15 +0100, Neel Chauhan <nc at freebsd.org> wrote:
> >But I think for Tor to support KTLS it needs to implement some things
> >itself. More information about that could be asked at the maintainer of
> >the port (https://www.freshports.org/security/tor/) or upstream at the Tor
> >project.
> To just make it work, I don't think changes are needed beyond linking to
> the correct OpenSSL libraries (assuming it uses OpenSSL, of course).
> (There are new library calls an application can use to check to see if
> KTLS is enabled for the connection, but if it doesn't care, I don't think
> those calls are needed?)
>
> You do need to run a kernel with "options KERN_TLS" and set
> kern.ipc.tls.enable=1
> kern.ipc.mb_use_ext_pgs=1
Note that upstream openssl is expecting to change in what ways ktls is
(en/dis)abled by default; see
https://github.com/openssl/openssl/issues/13794
-Ben
More information about the freebsd-current
mailing list