git: c7bb0f47f721 - main - nfs tls: Update for SSL_OP_ENABLE_KTLS.

Tue, 10 Aug 2021 14:19:30 -0700 

The branch main has been updated by jhb:

URL: 
https://cgit.FreeBSD.org/src/commit/?id=c7bb0f47f721a2095ed6100bca595ba68fa5645a

commit c7bb0f47f721a2095ed6100bca595ba68fa5645a
Author:     John Baldwin <j...@freebsd.org>
AuthorDate: 2021-08-10 21:18:43 +0000
Commit:     John Baldwin <j...@freebsd.org>
CommitDate: 2021-08-10 21:18:43 +0000

    nfs tls: Update for SSL_OP_ENABLE_KTLS.
    
    Upstream OpenSSL (and the KTLS backport) have switched to an opt-in
    option (SSL_OP_ENABLE_KTLS) in place of opt-out modes
    (SSL_MODE_NO_KTLS_TX and SSL_MODE_NO_KTLS_RX) for controlling kernel
    TLS.
    
    Reviewed by:    rmacklem
    Sponsored by:   Netflix
    MFC after:      2 weeks
    Differential Revision:  https://reviews.freebsd.org/D31445
---
 usr.sbin/rpc.tlsclntd/rpc.tlsclntd.c | 5 +++++
 usr.sbin/rpc.tlsservd/rpc.tlsservd.c | 5 +++++
 2 files changed, 10 insertions(+)

diff --git a/usr.sbin/rpc.tlsclntd/rpc.tlsclntd.c 
b/usr.sbin/rpc.tlsclntd/rpc.tlsclntd.c
index af803f203ffd..5e66f4b4b2dd 100644
--- a/usr.sbin/rpc.tlsclntd/rpc.tlsclntd.c
+++ b/usr.sbin/rpc.tlsclntd/rpc.tlsclntd.c
@@ -573,9 +573,14 @@ rpctls_setupcl_ssl(void)
            SSL_OP_NO_TLSv1_1 | SSL_OP_NO_TLSv1_2;
 #else
        flags = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1_3;
+#endif
+#ifdef SSL_OP_ENABLE_KTLS
+       flags |= SSL_OP_ENABLE_KTLS;
 #endif
        SSL_CTX_set_options(ctx, flags);
+#ifdef SSL_MODE_NO_KTLS_TX
        SSL_CTX_clear_mode(ctx, SSL_MODE_NO_KTLS_TX | SSL_MODE_NO_KTLS_RX);
+#endif
        return (ctx);
 }
 
diff --git a/usr.sbin/rpc.tlsservd/rpc.tlsservd.c 
b/usr.sbin/rpc.tlsservd/rpc.tlsservd.c
index 1c7687cad87a..71787b162acd 100644
--- a/usr.sbin/rpc.tlsservd/rpc.tlsservd.c
+++ b/usr.sbin/rpc.tlsservd/rpc.tlsservd.c
@@ -636,7 +636,12 @@ rpctls_setup_ssl(const char *certdir)
                SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER,
                    rpctls_verify_callback);
        }
+#ifdef SSL_OP_ENABLE_KTLS
+       SSL_CTX_set_options(ctx, SSL_OP_ENABLE_KTLS);
+#endif
+#ifdef SSL_MODE_NO_KTLS_TX
        SSL_CTX_clear_mode(ctx, SSL_MODE_NO_KTLS_TX | SSL_MODE_NO_KTLS_RX);
+#endif
        return (ctx);
 }
 
_______________________________________________
dev-commits-src-main@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/dev-commits-src-main
To unsubscribe, send any mail to "dev-commits-src-main-unsubscr...@freebsd.org"

Reply via email to