Can In-Kernel TLS (kTLS) work with any OpenSSL Application?
Ronald Klop
ronald-lists at klop.ws
Sat Jan 23 12:42:09 UTC 2021
On Wed, 20 Jan 2021 21:21:15 +0100, Neel Chauhan <nc at freebsd.org> wrote:
> Hi freebsd-current@,
>
> I know that In-Kernel TLS was merged into the FreeBSD HEAD tree a while
> back.
>
> With 13.0-RELEASE around the corner, I'm thinking about upgrading my
> home server, well if I can accelerate any SSL application.
>
> I'm asking because I have a home server on a symmetrical Gigabit
> connection (Google Fiber/Webpass), and that server runs a Tor relay. If
> you're interested in how Tor works, the EFF has a writeup:
> https://www.eff.org/pages/what-tor-relay
>
> But the main point for you all is: more-or-less Tor relays deal with
> 1000s TLS connections going into and out of the server.
>
> Would In-Kernel TLS help with an application like Tor (or even load
> balancers/TLS termination), or is it more for things like web servers
> sending static files via sendfile() (e.g. CDN used by Netflix).
>
> My server could also work with Intel's QuickAssist (since it has an
> Intel Xeon "Scalable" CPU). Would QuickAssist SSL be more helpful here?
>
> I'm asking since I don't know whether to upgrade my home server to 13.x
> or leave it at 12.x. Yes, I do know we need a special OpenSSL to use
> kTLS.
>
> -Neel
According to the history of the openssl port it has support for KTLS.
https://www.freshports.org/security/openssl
I don't know about the openssl in base.
But I think for Tor to support KTLS it needs to implement some things
itself. More information about that could be asked at the maintainer of
the port (https://www.freshports.org/security/tor/) or upstream at the Tor
project.
Regards,
Ronald.
More information about the freebsd-current
mailing list