Hello Boris/John I am from NXP and currently working on enabling KTLS on NXP platforms via openssl. I see that you enabled KTLS support in openssl 3.0(https://www.openssl.org/news/changelog.html#openssl-30).
when I configure openssl 3.0 or 3.1.0 with enable-ktls and and try to run the s_server, s_client application. I observe that connection is successfully established - but it didn't use KTLS. Then I added additional log in kernel(file net/tls/tls_main.c) and see that kernel is returning error -ENOTCONN when (sk->sk_state != TCP_ESTABLISHED) in function static int tls_init(struct sock *sk) please help to see the problem. Openssl repo: https://github.com/openssl/openssl , branch: master or openssl-3.0 logs: $ ./ Configure enable-ktls linux-aarch64 $ openssl version OpenSSL 3.1.0-dev (Library: OpenSSL 3.1.0-dev ) $ openssl s_server -ktls -key rsa.key -cert server.pem -accept 443 sk->sk_state != TCP_ESTABLISHED (log added in kernel net/tls/tls_main.c) ACCEPT -----BEGIN SSL SESSION PARAMETERS----- MF8CAQECAgMDBALAMAQABDADNEkWucVTZpiKPtRz48bGM1wHHnOUlta9WcSH9Q3y 4jdP8DgTAZAkrkD9SbCbs6uhBgIEYdQH96IEAgIcIKQGBAQBAAAArQMCAQGzAwIB HQ== -----END SSL SESSION PARAMETERS----- Shared ciphers:ECDHE-RSA-AES256-GCM-SHA384 Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224:DSA+SHA224:DSA+SHA256:DSA+SHA384:DSA+SHA512 Shared Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224:DSA+SHA224:DSA+SHA256:DSA+SHA384:DSA+SHA512 Supported Elliptic Curve Point Formats: uncompressed:ansiX962_compressed_prime:ansiX962_compressed_char2 Supported groups: x25519:secp256r1:x448:secp521r1:secp384r1 Shared groups: x25519:secp256r1:x448:secp521r1:secp384r1 CIPHER is ECDHE-RSA-AES256-GCM-SHA384 Secure Renegotiation IS supported $ openssl s_client -quiet -connect 192.168.0.139:443 -cipher 'ECDHE-RSA-AES256-GCM-SHA384' -tls1_2 -ktls [1119274.610941] sk->sk_state != TCP_ESTABLISHED Connecting to 192.168.0.139 Can't use SSL_get_servername depth=0 C=IN, ST=NOIDA, L=NOIDA, O=NXP, OU=EP, CN=Gaurav, emailAddress=gaura.j...@nxp.com<mailto:gaura.j...@nxp.com> verify error:num=18:self-signed certificate verify return:1 depth=0 C=IN, ST=NOIDA, L=NOIDA, O=NXP, OU=EP, CN=Gaurav, emailAddress=gaura.j...@nxp.com<mailto:gaura.j...@nxp.com> verify return:1 Regards Gaurav Jain From: Gaurav Jain Sent: Wednesday, December 22, 2021 3:54 PM To: openssl-users@openssl.org Cc: Varun Sethi <v.se...@nxp.com>; Pankaj Gupta <pankaj.gu...@nxp.com> Subject: KTLS with openssl 3.0 fail with error ENOTCONN(Transport endpoint is not connected) Hi Kernel Support for KTLS: kernel version is 5.15 CONFIG_TLS=y CONFIG_TLS_DEVICE=y CONFIG_CRYPTO_TLS=y Openssl: $ ./ Configure enable-ktls linux-aarch64 $ make Server $ ./openssl version OpenSSL 3.0.2-dev 14 Dec 2021 (Library: OpenSSL 3.0.0 7 sep 2021) $ ./openssl s_server -key rsa.key -cert server.pem -accept 443 error file: crypto/bio/bio_sock2.c function: BIO_socket() ktls_enable(sock); failed with ENOTCONN error setsockopt failed, 107, Transport endpoint is not connected server logs( added some debug logs) root@imx8mmevk:~# ./openssl s_server -key rsa.key -cert server.pem -accept 443 sk->sk_state != TCP_ESTABLISHED (log added in kernel net/tls/tls_main.c) sk->sk_state != TCP_ESTABLISHED BIO_socket sock_family = 10, sock_type = 1, sock_protocol = 6, return = 3 setsockopt failed, 107, Transport endpoint is not connected BIO_socket, ktls_enable(asock) = 0 ACCEPT setsockopt failed, 17, File exists BIO_new_socket, ktls_enable(s) = 0 -----BEGIN SSL SESSION PARAMETERS----- MF8CAQECAgMDBALAMAQABDAC9MHCSSlLXrS0D8tq2hCZtW0vmB1EC6HQerBThuev PdX7VOUnD1a2bybdw1LfEiqhBgIEYcLciaIEAgIcIKQGBAQBAAAArQMCAQGzAwIB HQ== -----END SSL SESSION PARAMETERS----- Shared ciphers:ECDHE-RSA-AES256-GCM-SHA384 Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224:DSA+SHA224:DSA+SHA256:DSA+SHA384:DSA+SHA512 Shared Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224:DSA+SHA224:DSA+SHA256:DSA+SHA384:DSA+SHA512 Supported Elliptic Curve Point Formats: uncompressed:ansiX962_compressed_prime:ansiX962_compressed_char2 Supported groups: x25519:secp256r1:x448:secp521r1:secp384r1 Shared groups: x25519:secp256r1:x448:secp521r1:secp384r1 CIPHER is ECDHE-RSA-AES256-GCM-SHA384 Secure Renegotiation IS supported Using Kernel TLS for sending fail Using Kernel TLS for receiving fail Regards Gaurav Jain
