Netflix kernel TLS

Drew Gallatin gallatin at
Thu Feb 22 18:12:44 UTC 2018

As discussed in the meeting today, I have backported our kernel TLS to an
upstream kernel and made it available for comment.   See the nf_ktls branch
of my public github:

It is enabled by 'options KERN_TLS"

A few random facts:

- This is transmit only.

- Applications linking to OpenSSL are automatically accelerated, for socket
writes assuming that
  a compatible cipher is supported in the kernel.

- It adds a new OpenSSL API entry point, SSL_sendfile(), which is self
    You can see example usage in our patch to nginx, at

- It has been tested and run only on AMD64.  I suspect it will work on any
arch with
     a direct map. (eg, PHYS_TO_DMAP, DMAP_TO_PHYS)

- It requires my vectorized unmapped mbufs  (present in that branch).  Note
that my vectorized mbufs should work on any arch, and I've measured
speedups on i386, simply because we avoid mapping sf_bufs.

- It requires a backend crypto module to support the actual encryption.  I
totally suck at ports, but I've left a port of intel-isa-l at

Best regards,


More information about the freebsd-transport mailing list