Page MenuHomeFreeBSD

security/openssl: Add support for in-kernel TLS (KTLS).

Authored by jhb on Apr 3 2020, 8:58 PM.



This adds a new KTLS option to include support for kernel TLS
offload in FreeBSD 13. The extra patches are all backports of
commits from OpenSSL master that will be included in OpenSSL 3.0.

Test Plan
  • was able to verify KTLS operation using a KTLS kernel and openssl s_client/s_server.
  • make check-plist passes

Diff Detail

rP FreeBSD ports repository
Lint Not Applicable
Tests Not Applicable

Event Timeline

The patch is generated from I also have a ktls_1_1_1 that I periodically rebase on the OpenSSL_1_1_1-stable branch. I think a reasonable approach is that updating this port for new releases shouldn't wait for the KTLS patch to be regenerated if it fails to apply cleanly, instead the KTLS option could just be disabled until I can update the patchset in that case.

A related question is if we should enable KTLS by default. This patch takes the conservative approach of not doing so, but given it only applies to head it may make sense to enable it by default instead.

90 ↗(On Diff #70160)

Oops, forgot I had this here. This is unrelated, but is stale as there is no longer a WEAK-SSL-CIPHERS option.

This revision is now accepted and ready to land.Apr 6 2020, 2:26 PM

Ping? There has been no response from the maintainer in over 3 weeks.

Sounds like maintainer time-out. Feel free to commit.

Seems reasonable to me; I would suggest that we turn it on by default in HEAD to get some more mileage on it

90 ↗(On Diff #70160)

should take care of this one first tho IMO

Smoke tested by Mellanox.

Move enable-ktls to "default disabled" section

This revision now requires review to proceed.May 23 2020, 7:22 PM

Thanks for the patch!
Updated for 1.1.1g and moved the enable-ktls option

90 ↗(On Diff #70160)
This revision was not accepted when it landed; it landed in state Needs Review.May 23 2020, 7:36 PM
This revision was automatically updated to reflect the committed changes.