Should we enable KERN_TLS on amd64 for FreeBSD 13?
Rick Macklem
rmacklem at uoguelph.ca
Sat Jan 9 14:08:29 UTC 2021
John Baldwin wrote:
>John-Mark Gurney wrote:
>> Andrew Gallatin wrote:
>>>
>>> There are essentially 3 options
>>>
>>> 1) Fully enable KTLS by adding 'options KERN_TLS' to GENERIC, and
>>> flipping kern.ipc.tls.enable=1
>>>
>>> The advantage of this is that it "just works" out of the box for users,
>>> and for reviewers.
>>>
>>> The drawback is that new code is thrust on unsuspecting users,
>>> potentially exposing them to bugs that we have not found in our
>>> somewhat limited web serving workload.
>>
>> This is my vote.
>>
>> I assume that the in tree and ports tree OpenSSL libraries will make
>> use of it when present? Does this mean fetch and the like will also
>> use it when talking w/ https website? (that's a nice benefit).
>
>In tree OpenSSL does not support KTLS. OpenSSL considers KTLS support
>too large of a feature to officially backport to the 1.1.1 branch, so
>if we add it in base, it will mean keeping it as a local diff.
>
>OTOH, I do maintain a backport of KTLS to 1.1.1 and there is a KTLS
>option for the security/openssl port (not on by default, it perhaps
>should be on 13?) which includes KTLS support. security/openssl-devel
>(which tracks OpenSSL 3) also has a KTLS option that probably should
>be enabled by default on 13 as it only consists of enabling the
>option without requiring patches to the port.
As of r557013, the KTLS option is enabled by default in openssl-devel.
>I can raise the issue again with secteam about importing KTLS into the
>base OpenSSL. I think the main issue is the risk of getting a merge
>conflict when merging in an SA, though from my experience maintaining
>the KTLS patchset against 1.1.1 for the past year or so, I expect that
>risk to be fairly low.
>
>Personally, it would make my life a bit happier as a developer using
>KTLS for it to at least be in GENERIC by default, but that's a pretty
>narrow use case. :)
I don't know what the relationship between ports and packages is,
but if there is soon a package for openssl-devel (with KTLS enabled
like it is in ports), then no build from sources would be needed for
openssl.
--> It is unfortunate that Openssl3 (openssl-devel) is still in alpha test.
If there is a package for an openssl with KTLS support, then having KERN_TLS
in GENERIC might be nice, since no source builds would be needed.
(I have no preference w.r.t "enabled by default", since the
sysctl can easily be set via sysctl.conf.)
Although nfs-over-tls is not yet implemented for non-FreeBSD
systems, I would like to see it become easy to enable during the
FreeBSD release cycle and having KERN_TLS in GENERIC would
be a step in that direction.
Oh, and I'm not saying it is worth changing, but having Openssl
use KTLS and the kernel use KERN_TLS slightly obscures the fact
that they refer to related code.
rick
--
John Baldwin
More information about the freebsd-arch
mailing list