Benjamin Kaduk wrote: >On Sat, Jan 23, 2021 at 03:25:59PM +0000, Rick Macklem wrote: >> Ronald Klop wrote: >> >On Wed, 20 Jan 2021 21:21:15 +0100, Neel Chauhan <n...@freebsd.org> wrote: >> >But I think for Tor to support KTLS it needs to implement some things >> >itself. More information about that could be asked at the maintainer of >> >the port (https://www.freshports.org/security/tor/) or upstream at the Tor >> >project. >> To just make it work, I don't think changes are needed beyond linking to >> the correct OpenSSL libraries (assuming it uses OpenSSL, of course). >> (There are new library calls an application can use to check to see if >> KTLS is enabled for the connection, but if it doesn't care, I don't think >> those calls are needed?) >> >> You do need to run a kernel with "options KERN_TLS" and set >> kern.ipc.tls.enable=1 >> kern.ipc.mb_use_ext_pgs=1 > >Note that upstream openssl is expecting to change in what ways ktls is >(en/dis)abled by default; see >https://github.com/openssl/openssl/issues/13794 Thanks for the pointer Ben. It appears that SSL_CTX_clear_mode(ctx, SSL_MODE_NO_KTLS_TX | SSL_MODE_NO_KTLS_RX) or similar will soon be needed to enable it. I'll add this call to the nfs-over-tls daemons, since it should be harmless to do.
Thanks for mentioning this, rick -Ben _______________________________________________ freebsd-current@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org" _______________________________________________ freebsd-current@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
