HomeFreeBSD

OpenSSL: Only enable KTLS if it is explicitly configured

Description

OpenSSL: Only enable KTLS if it is explicitly configured

It has always been the case that KTLS is not compiled by default. However
if it is compiled then it was automatically used unless specifically
configured not to. This is problematic because it avoids any crypto
implementations from providers. A user who configures all crypto to use
the FIPS provider may unexpectedly find that TLS related crypto is actually
being performed outside of the FIPS boundary.

Instead we change KTLS so that it is disabled by default.

We also swap to using a single "option" (i.e. SSL_OP_ENABLE_KTLS) rather
than two separate "modes", (i.e. SSL_MODE_NO_KTLS_RX and
SSL_MODE_NO_KTLS_TX).

Reviewed by: jkim
Obtained from: OpenSSL (a3a54179b6754fbed6d88e434baac710a83aaf80)
Sponsored by: Netflix
Differential Revision: https://reviews.freebsd.org/D31440

(cherry picked from commit 62ca9fc1ad569eb3fafd281e03812a598b9856ee)

Details

Provenance
jhbAuthored on Aug 17 2021, 9:39 PM
Reviewer
jkim
Differential Revision
D31440: OpenSSL: Only enable KTLS if it is explicitly configured
Parents
rGd00932bea68b: OpenSSL: ktls: Initial support for ChaCha20-Poly1305
Branches
Unknown
Tags
Unknown