TLS receive offload is really only beneficial for in-kernel use cases
(such as NFS over TLS) or when using a hardware offload. In addition,
several recent SAs have involved the TLS receive path, but the only
current mitigation for those is to disable TLS offload entirely.
Sponsored by: Netflix
Sponsored by: Chelsio Communications
Co-authored-by: John Baldwin <jhb@FreeBSD.org>