By the way, in-kernel TLS has now landed in the Linux kernel: https://github.com/torvalds/linux/blob/master/Documentation/networking/tls.txt
There is work in progress to take advantage of that in OpenSSL: https://github.com/Mellanox/tls-openssl Ismael On Tue, Sep 6, 2016 at 1:48 PM, Todd Palino <tpal...@gmail.com> wrote: > Yeah, that's why I mentioned it with a caveat :) Someone (I can't recall > who, but it was someone I consider reasonably knowledgable as I actually > gave it some weight) mentioned it, but I haven't looked into it further > than that. I agree that I don't see how this is going to help us at the app > layer. > > -Todd > > On Tuesday, September 6, 2016, Ismael Juma <ism...@juma.me.uk> wrote: > > > Hi Todd, > > > > Thanks for sharing your experience enabling TLS in your clusters. Very > > helpful. One comment below. > > > > On Sun, Sep 4, 2016 at 6:28 PM, Todd Palino <tpal...@gmail.com > > <javascript:;>> wrote: > > > > > > Right now, we're specifically avoiding moving consume traffic to SSL, > due > > > to the zero copy send issue. Now I've been told (but I have not > > > investigated) that OpenSSL can solve this. It would probably be a good > > use > > > of time to look into that further. > > > > > > > As far as I know, OpenSSL can reduce the TLS overhead, but we will still > > lose the zero-copy optimisation. There is some attempts at making it > > possible to retain zero-copy with TLS in the kernel[1][2], but it's > > probably too early for us to consider that for Kafka. > > > > Ismael > > > > [1] https://lwn.net/Articles/666509/ > > [2] > > http://techblog.netflix.com/2016/08/protecting-netflix- > > viewing-privacy-at.html > > > > > -- > *Todd Palino* > Staff Site Reliability Engineer > Data Infrastructure Streaming > > > > linkedin.com/in/toddpalino >
