diff options
author | John Baldwin <jhb@FreeBSD.org> | 2021-08-17 21:39:32 +0000 |
---|---|---|
committer | John Baldwin <jhb@FreeBSD.org> | 2021-08-17 21:41:31 +0000 |
commit | a208223130fb12daac9b4f52be1b3477b03ac521 (patch) | |
tree | 0cbdaf04fba39484ef11425442a4ae1025ce77f5 /crypto | |
parent | 62ca9fc1ad569eb3fafd281e03812a598b9856ee (diff) | |
download | src-a208223130fb12daac9b4f52be1b3477b03ac521.tar.gz src-a208223130fb12daac9b4f52be1b3477b03ac521.zip |
OpenSSL: Update KTLS documentation
KTLS support has been changed to be off by default, and configuration is
via a single "option" rather two "modes". Documentation is updated
accordingly.
Reviewed by: jkim
Obtained from: OpenSSL (6878f4300213cfd7d4f01e26a8b97f70344da100)
MFC after: 5 days
Sponsored by: Netflix
Differential Revision: https://reviews.freebsd.org/D31441
Diffstat (limited to 'crypto')
-rw-r--r-- | crypto/openssl/doc/man3/SSL_CONF_cmd.pod | 4 | ||||
-rw-r--r-- | crypto/openssl/doc/man3/SSL_CTX_set_mode.pod | 17 | ||||
-rw-r--r-- | crypto/openssl/doc/man3/SSL_CTX_set_options.pod | 23 |
3 files changed, 27 insertions, 17 deletions
diff --git a/crypto/openssl/doc/man3/SSL_CONF_cmd.pod b/crypto/openssl/doc/man3/SSL_CONF_cmd.pod index 900c4f3a5648..a3f447a986e3 100644 --- a/crypto/openssl/doc/man3/SSL_CONF_cmd.pod +++ b/crypto/openssl/doc/man3/SSL_CONF_cmd.pod @@ -495,6 +495,10 @@ specification. Some applications may be able to mitigate the replay risks in other ways and in such cases the built-in OpenSSL functionality is not required. Disabling anti-replay is equivalent to setting B<SSL_OP_NO_ANTI_REPLAY>. +B<KTLS>: Enables kernel TLS if support has been compiled in, and it is supported +by the negotiated ciphersuites and extensions. Equivalent to +B<SSL_OP_ENABLE_KTLS>. + =item B<VerifyMode> The B<value> argument is a comma separated list of flags to set. diff --git a/crypto/openssl/doc/man3/SSL_CTX_set_mode.pod b/crypto/openssl/doc/man3/SSL_CTX_set_mode.pod index 27eaebad1ea0..85e3353e0e2c 100644 --- a/crypto/openssl/doc/man3/SSL_CTX_set_mode.pod +++ b/crypto/openssl/doc/man3/SSL_CTX_set_mode.pod @@ -114,22 +114,6 @@ enables this behaviour to allow interoperability with such broken implementations. Please note that setting this option breaks interoperability with correct implementations. This option only applies to DTLS over SCTP. -=item SSL_MODE_NO_KTLS_TX - -Disable the use of the kernel TLS egress data-path. -By default kernel TLS is enabled if it is supported by the negotiated ciphersuites -and extensions and OpenSSL has been compiled with support for it. -The kernel TLS data-path implements the record layer, -and the crypto algorithm. The kernel will utilize the best hardware -available for crypto. Using the kernel data-path should reduce the memory -footprint of OpenSSL because no buffering is required. Also, the throughput -should improve because data copy is avoided when user data is encrypted into -kernel memory instead of the usual encrypt than copy to kernel. - -Kernel TLS might not support all the features of OpenSSL. For instance, -renegotiation, and setting the maximum fragment size is not possible as of -Linux 4.20. - =back All modes are off by default except for SSL_MODE_AUTO_RETRY which is on by @@ -150,7 +134,6 @@ L<SSL_write(3)>, L<SSL_get_error(3)> =head1 HISTORY SSL_MODE_ASYNC was added in OpenSSL 1.1.0. -SSL_MODE_NO_KTLS_TX was first added to OpenSSL 3.0.0. =head1 COPYRIGHT diff --git a/crypto/openssl/doc/man3/SSL_CTX_set_options.pod b/crypto/openssl/doc/man3/SSL_CTX_set_options.pod index 969e0366c45a..231fe92d8e78 100644 --- a/crypto/openssl/doc/man3/SSL_CTX_set_options.pod +++ b/crypto/openssl/doc/man3/SSL_CTX_set_options.pod @@ -237,6 +237,29 @@ functionality is not required. Those applications can turn this feature off by setting this option. This is a server-side opton only. It is ignored by clients. +=item SSL_OP_ENABLE_KTLS + +Enable the use of kernel TLS. In order to benefit from kernel TLS OpenSSL must +have been compiled with support for it, and it must be supported by the +negotiated ciphersuites and extensions. The specific ciphersuites and extensions +that are supported may vary by platform and kernel version. + +The kernel TLS data-path implements the record layer, and the encryption +algorithm. The kernel will utilize the best hardware +available for encryption. Using the kernel data-path should reduce the memory +footprint of OpenSSL because no buffering is required. Also, the throughput +should improve because data copy is avoided when user data is encrypted into +kernel memory instead of the usual encrypt then copy to kernel. + +Kernel TLS might not support all the features of OpenSSL. For instance, +renegotiation, and setting the maximum fragment size is not possible as of +Linux 4.20. + +Note that with kernel TLS enabled some cryptographic operations are performed +by the kernel directly and not via any available OpenSSL Providers. This might +be undesirable if, for example, the application requires all cryptographic +operations to be performed by the FIPS provider. + =back The following options no longer have any effect but their identifiers are |