This adds a new KTLS option to include support for kernel TLS
offload in FreeBSD 13. The extra patches are all backports of
commits from OpenSSL master that will be included in OpenSSL 3.0.
Details
Details
- was able to verify KTLS operation using a KTLS kernel and openssl s_client/s_server.
- make check-plist passes
Diff Detail
Diff Detail
- Repository
- rP FreeBSD ports repository
- Lint
Lint Not Applicable - Unit
Tests Not Applicable
Event Timeline
Comment Actions
The patch is generated from https://github.com/openssl/openssl/compare/OpenSSL_1_1_1f...bsdjhb:ktls_1_1_1f. I also have a ktls_1_1_1 that I periodically rebase on the OpenSSL_1_1_1-stable branch. I think a reasonable approach is that updating this port for new releases shouldn't wait for the KTLS patch to be regenerated if it fails to apply cleanly, instead the KTLS option could just be disabled until I can update the patchset in that case.
A related question is if we should enable KTLS by default. This patch takes the conservative approach of not doing so, but given it only applies to head it may make sense to enable it by default instead.
| security/openssl/Makefile | ||
|---|---|---|
| 90 ↗ | (On Diff #70160) | Oops, forgot I had this here. This is unrelated, but is stale as there is no longer a WEAK-SSL-CIPHERS option. |
Comment Actions
Seems reasonable to me; I would suggest that we turn it on by default in HEAD to get some more mileage on it
| security/openssl/Makefile | ||
|---|---|---|
| 90 ↗ | (On Diff #70160) | should take care of this one first tho IMO |
Comment Actions
Thanks for the patch!
Updated for 1.1.1g and moved the enable-ktls option
| security/openssl/Makefile | ||
|---|---|---|
| 90 ↗ | (On Diff #70160) | Still exists in 1.1.1g https://github.com/openssl/openssl/blob/OpenSSL_1_1_1-stable/Configure#L424 |