Page MenuHomeFreeBSD

security/openssl: Add support for in-kernel TLS (KTLS).
ClosedPublic

Authored by jhb on Apr 3 2020, 8:58 PM.

Details

Summary

This adds a new KTLS option to include support for kernel TLS
offload in FreeBSD 13. The extra patches are all backports of
commits from OpenSSL master that will be included in OpenSSL 3.0.

Test Plan
  • was able to verify KTLS operation using a KTLS kernel and openssl s_client/s_server.
  • make check-plist passes

Diff Detail

Repository
rP FreeBSD ports repository
Lint
No Linters Available
Unit
No Unit Test Coverage
Build Status
Buildable 31265
Build 28911: arc lint + arc unit

Event Timeline

jhb created this revision.Apr 3 2020, 8:58 PM
jhb added a comment.Apr 3 2020, 10:39 PM

The patch is generated from https://github.com/openssl/openssl/compare/OpenSSL_1_1_1f...bsdjhb:ktls_1_1_1f. I also have a ktls_1_1_1 that I periodically rebase on the OpenSSL_1_1_1-stable branch. I think a reasonable approach is that updating this port for new releases shouldn't wait for the KTLS patch to be regenerated if it fails to apply cleanly, instead the KTLS option could just be disabled until I can update the patchset in that case.

A related question is if we should enable KTLS by default. This patch takes the conservative approach of not doing so, but given it only applies to head it may make sense to enable it by default instead.

security/openssl/Makefile
91

Oops, forgot I had this here. This is unrelated, but is stale as there is no longer a WEAK-SSL-CIPHERS option.

gallatin accepted this revision.Apr 6 2020, 2:26 PM
This revision is now accepted and ready to land.Apr 6 2020, 2:26 PM
jhb added a comment.Apr 29 2020, 8:23 PM

Ping? There has been no response from the maintainer in over 3 weeks.

gordon accepted this revision.May 2 2020, 8:02 PM

Sounds like maintainer time-out. Feel free to commit.

emaste added a comment.May 2 2020, 8:05 PM

Seems reasonable to me; I would suggest that we turn it on by default in HEAD to get some more mileage on it

security/openssl/Makefile
91

should take care of this one first tho IMO

hselasky accepted this revision.May 20 2020, 11:51 AM

Smoke tested by Mellanox.

brnrd updated this revision to Diff 72176.May 23 2020, 7:22 PM

Move enable-ktls to "default disabled" section

This revision now requires review to proceed.May 23 2020, 7:22 PM
brnrd added a comment.May 23 2020, 7:24 PM

Thanks for the patch!
Updated for 1.1.1g and moved the enable-ktls option

security/openssl/Makefile
91
This revision was not accepted when it landed; it landed in state Needs Review.May 23 2020, 7:36 PM
This revision was automatically updated to reflect the committed changes.