Page MenuHomeFreeBSD

security/openssl: Add support for in-kernel TLS (KTLS).
ClosedPublic

Authored by jhb on Apr 3 2020, 8:58 PM.
Tags
None
Referenced Files
Unknown Object (File)
Sat, Mar 23, 12:08 PM
Unknown Object (File)
Feb 19 2024, 11:42 AM
Unknown Object (File)
Feb 19 2024, 11:42 AM
Unknown Object (File)
Feb 19 2024, 11:42 AM
Unknown Object (File)
Feb 19 2024, 11:42 AM
Unknown Object (File)
Feb 19 2024, 11:29 AM
Unknown Object (File)
Feb 12 2024, 7:01 PM
Unknown Object (File)
Jan 24 2024, 8:34 AM

Details

Summary

This adds a new KTLS option to include support for kernel TLS
offload in FreeBSD 13. The extra patches are all backports of
commits from OpenSSL master that will be included in OpenSSL 3.0.

Test Plan
  • was able to verify KTLS operation using a KTLS kernel and openssl s_client/s_server.
  • make check-plist passes

Diff Detail

Repository
rP FreeBSD ports repository
Lint
No Lint Coverage
Unit
No Test Coverage
Build Status
Buildable 30261
Build 28038: arc lint + arc unit

Event Timeline

The patch is generated from https://github.com/openssl/openssl/compare/OpenSSL_1_1_1f...bsdjhb:ktls_1_1_1f. I also have a ktls_1_1_1 that I periodically rebase on the OpenSSL_1_1_1-stable branch. I think a reasonable approach is that updating this port for new releases shouldn't wait for the KTLS patch to be regenerated if it fails to apply cleanly, instead the KTLS option could just be disabled until I can update the patchset in that case.

A related question is if we should enable KTLS by default. This patch takes the conservative approach of not doing so, but given it only applies to head it may make sense to enable it by default instead.

security/openssl/Makefile
90

Oops, forgot I had this here. This is unrelated, but is stale as there is no longer a WEAK-SSL-CIPHERS option.

This revision is now accepted and ready to land.Apr 6 2020, 2:26 PM

Ping? There has been no response from the maintainer in over 3 weeks.

Sounds like maintainer time-out. Feel free to commit.

Seems reasonable to me; I would suggest that we turn it on by default in HEAD to get some more mileage on it

security/openssl/Makefile
90

should take care of this one first tho IMO

Move enable-ktls to "default disabled" section

This revision now requires review to proceed.May 23 2020, 7:22 PM

Thanks for the patch!
Updated for 1.1.1g and moved the enable-ktls option

security/openssl/Makefile
90
This revision was not accepted when it landed; it landed in state Needs Review.May 23 2020, 7:36 PM
This revision was automatically updated to reflect the committed changes.