Page MenuHomeFreeBSD

OpenSSL: Support for kernel TLS offload (KTLS).
AbandonedPublic

Authored by jhb on Jan 21 2021, 10:48 PM.

Details

Summary

This merges upstream patches from OpenSSL's master branch to add
KTLS infrastructure for TLS 1.0-1.3 including both RX and TX
offload and SSL_sendfile support on both Linux and FreeBSD.

Note that TLS 1.3 only supports TX offload.

A new WITH/WITHOUT_KTLS determines if OpenSSL is built with KTLS
support. It defaults to enabled.

Test Plan
  • did simple testing of openssl s_server with TLS 1.2 with an AES-GCM cipher suite and both TX and RX were offloaded

Diff Detail

Repository
rS FreeBSD src repository - subversion
Lint
Lint OK
Unit
No Unit Test Coverage
Build Status
Buildable 36514
Build 33403: arc lint + arc unit

Event Timeline

jhb requested review of this revision.Jan 21 2021, 10:48 PM
jhb added a reviewer: secteam.
jhb changed the repository for this revision from rS FreeBSD src repository - subversion to R10 FreeBSD src repository.
jhb added subscribers: gallatin, bjk.

I have not yet regenerated the affected manual pages as I wasn't sure how to do that (the notes in FreeBSD-upgrade in the vendor tree say to regen, but don't give a command). I also haven't regenerated openssl.conf.h.in though I don't think it is affected? We would want to regen it with 'enable-ktls' passed to OpenSSL's configure script though. If we wanted the KTLS bits to be under an option (e.g. MK_KTLS) then we could have OPENSSL_NO_KTLS in openssl.conf.h.in be dependent on that option similar to the way NO_ASM is handled in openssl.conf.h.in I believe.

Note that we (Netflix) have been running this patch in evolving state since 2017 in production.

  • Pull in fixes from jkim including WITH/WITHOUT_OPENSSL_KTLS and manpages.
jhb retitled this revision from openssl: Support for kernel TLS offload (KTLS). to OpenSSL: Support for kernel TLS offload (KTLS)..Jan 26 2021, 12:23 AM
jhb edited the summary of this revision. (Show Details)

We might consider only enabling this by default on amd64 to match what we've done with 'options KERN_TLS' in GENERIC.

This revision is now accepted and ready to land.Jan 26 2021, 3:31 AM
In D28273#633989, @jhb wrote:

We might consider only enabling this by default on amd64 to match what we've done with 'options KERN_TLS' in GENERIC.

+1

jhb edited the summary of this revision. (Show Details)
  • Only enable OPENSSL_KTLS by default on amd64.
This revision now requires review to proceed.Jan 26 2021, 6:25 PM

I will probably split this up into a few commits. I will certainly regen src.conf.5 as a separate commit. I will probably also do the manpage regen as a separate commit.