git: a208223130fb - main - OpenSSL: Update KTLS documentation

John Baldwin jhb at FreeBSD.org
Tue Aug 17 21:46:00 UTC 2021 

The branch main has been updated by jhb:

URL: https://cgit.FreeBSD.org/src/commit/?id=a208223130fb12daac9b4f52be1b3477b03ac521

commit a208223130fb12daac9b4f52be1b3477b03ac521
Author:     John Baldwin <jhb at FreeBSD.org>
AuthorDate: 2021-08-17 21:39:32 +0000
Commit:     John Baldwin <jhb at FreeBSD.org>
CommitDate: 2021-08-17 21:41:31 +0000

    OpenSSL: Update KTLS documentation
    
    KTLS support has been changed to be off by default, and configuration is
    via a single "option" rather two "modes". Documentation is updated
    accordingly.
    
    Reviewed by:    jkim
    Obtained from:  OpenSSL (6878f4300213cfd7d4f01e26a8b97f70344da100)
    MFC after:      5 days
    Sponsored by:   Netflix
    Differential Revision:  https://reviews.freebsd.org/D31441
---
 crypto/openssl/doc/man3/SSL_CONF_cmd.pod        |  4 ++++
 crypto/openssl/doc/man3/SSL_CTX_set_mode.pod    | 17 -----------------
 crypto/openssl/doc/man3/SSL_CTX_set_options.pod | 23 +++++++++++++++++++++++
 3 files changed, 27 insertions(+), 17 deletions(-)

diff --git a/crypto/openssl/doc/man3/SSL_CONF_cmd.pod b/crypto/openssl/doc/man3/SSL_CONF_cmd.pod
index 900c4f3a5648..a3f447a986e3 100644
--- a/crypto/openssl/doc/man3/SSL_CONF_cmd.pod
+++ b/crypto/openssl/doc/man3/SSL_CONF_cmd.pod
@@ -495,6 +495,10 @@ specification. Some applications may be able to mitigate the replay risks in
 other ways and in such cases the built-in OpenSSL functionality is not required.
 Disabling anti-replay is equivalent to setting B<SSL_OP_NO_ANTI_REPLAY>.
 
+B<KTLS>: Enables kernel TLS if support has been compiled in, and it is supported
+by the negotiated ciphersuites and extensions. Equivalent to
+B<SSL_OP_ENABLE_KTLS>.
+
 =item B<VerifyMode>
 
 The B<value> argument is a comma separated list of flags to set.
diff --git a/crypto/openssl/doc/man3/SSL_CTX_set_mode.pod b/crypto/openssl/doc/man3/SSL_CTX_set_mode.pod
index 27eaebad1ea0..85e3353e0e2c 100644
--- a/crypto/openssl/doc/man3/SSL_CTX_set_mode.pod
+++ b/crypto/openssl/doc/man3/SSL_CTX_set_mode.pod
@@ -114,22 +114,6 @@ enables this behaviour to allow interoperability with such broken
 implementations. Please note that setting this option breaks interoperability
 with correct implementations. This option only applies to DTLS over SCTP.
 
-=item SSL_MODE_NO_KTLS_TX
-
-Disable the use of the kernel TLS egress data-path.
-By default kernel TLS is enabled if it is supported by the negotiated ciphersuites
-and extensions and OpenSSL has been compiled with support for it.
-The kernel TLS data-path implements the record layer,
-and the crypto algorithm. The kernel will utilize the best hardware
-available for crypto. Using the kernel data-path should reduce the memory
-footprint of OpenSSL because no buffering is required. Also, the throughput
-should improve because data copy is avoided when user data is encrypted into
-kernel memory instead of the usual encrypt than copy to kernel.
-
-Kernel TLS might not support all the features of OpenSSL. For instance,
-renegotiation, and setting the maximum fragment size is not possible as of
-Linux 4.20.
-
 =back
 
 All modes are off by default except for SSL_MODE_AUTO_RETRY which is on by
@@ -150,7 +134,6 @@ L<SSL_write(3)>, L<SSL_get_error(3)>
 =head1 HISTORY
 
 SSL_MODE_ASYNC was added in OpenSSL 1.1.0.
-SSL_MODE_NO_KTLS_TX was first added to OpenSSL 3.0.0.
 
 =head1 COPYRIGHT
 
diff --git a/crypto/openssl/doc/man3/SSL_CTX_set_options.pod b/crypto/openssl/doc/man3/SSL_CTX_set_options.pod
index 969e0366c45a..231fe92d8e78 100644
--- a/crypto/openssl/doc/man3/SSL_CTX_set_options.pod
+++ b/crypto/openssl/doc/man3/SSL_CTX_set_options.pod
@@ -237,6 +237,29 @@ functionality is not required. Those applications can turn this feature off by
 setting this option. This is a server-side opton only. It is ignored by
 clients.
 
+=item SSL_OP_ENABLE_KTLS
+
+Enable the use of kernel TLS. In order to benefit from kernel TLS OpenSSL must
+have been compiled with support for it, and it must be supported by the
+negotiated ciphersuites and extensions. The specific ciphersuites and extensions
+that are supported may vary by platform and kernel version.
+
+The kernel TLS data-path implements the record layer, and the encryption
+algorithm. The kernel will utilize the best hardware
+available for encryption. Using the kernel data-path should reduce the memory
+footprint of OpenSSL because no buffering is required. Also, the throughput
+should improve because data copy is avoided when user data is encrypted into
+kernel memory instead of the usual encrypt then copy to kernel.
+
+Kernel TLS might not support all the features of OpenSSL. For instance,
+renegotiation, and setting the maximum fragment size is not possible as of
+Linux 4.20.
+
+Note that with kernel TLS enabled some cryptographic operations are performed
+by the kernel directly and not via any available OpenSSL Providers. This might
+be undesirable if, for example, the application requires all cryptographic
+operations to be performed by the FIPS provider.
+
 =back
 
 The following options no longer have any effect but their identifiers are

More information about the dev-commits-src-main mailing list