Index: sys/dev/cxgbe/t4_main.c =================================================================== --- sys/dev/cxgbe/t4_main.c +++ sys/dev/cxgbe/t4_main.c @@ -4917,9 +4917,22 @@ #endif #ifdef KERN_TLS - if (t4_kern_tls != 0 && sc->cryptocaps & FW_CAPS_CONFIG_TLSKEYS && - sc->toecaps & FW_CAPS_CONFIG_TOE) - t4_enable_kern_tls(sc); + if (sc->cryptocaps & FW_CAPS_CONFIG_TLSKEYS && + sc->toecaps & FW_CAPS_CONFIG_TOE) { + if (t4_kern_tls != 0) + t4_enable_kern_tls(sc); + else { + /* + * Limit TOE connections to 2 reassembly + * "islands". This is required for TOE TLS + * connections to downgrade to plain TOE + * connections if an unsupported TLS version + * or ciphersuite is used. + */ + t4_tp_wr_bits_indirect(sc, A_TP_FRAG_CONFIG, + V_PASSMODE(M_PASSMODE), V_PASSMODE(2)); + } + } #endif return (0); } Index: sys/dev/cxgbe/tom/t4_tls.c =================================================================== --- sys/dev/cxgbe/tom/t4_tls.c +++ sys/dev/cxgbe/tom/t4_tls.c @@ -138,11 +138,19 @@ tls_stop_handshake_timer(toep); - /* Operate in PDU extraction mode only. */ + KASSERT(toep->tls.rx_key_addr == -1, + ("%s: tid %d has RX key", __func__, toep->tid)); + + /* Switch to plain TOE mode. */ t4_set_tls_tcb_field(toep, W_TCB_ULP_RAW, - V_TCB_ULP_RAW(M_TCB_ULP_RAW), - V_TCB_ULP_RAW(V_TF_TLS_ENABLE(1))); + V_TCB_ULP_RAW(V_TF_TLS_ENABLE(1)), + V_TCB_ULP_RAW(V_TF_TLS_ENABLE(0))); + t4_set_tls_tcb_field(toep, W_TCB_ULP_TYPE, + V_TCB_ULP_TYPE(M_TCB_ULP_TYPE), V_TCB_ULP_TYPE(ULP_MODE_NONE)); t4_clear_rx_quiesce(toep); + + toep->flags &= ~TPF_FORCE_CREDITS; + toep->params.ulp_mode = ULP_MODE_NONE; } static void