From Newsgroup: muc.lists.freebsd.stable

Am running 14.3-STABLE form a few weeks ago, and I would rather like
to get KTLS working with the openssl in base. I have got it working
with GnuTLS form post easily enough (enable in the global config file
and it just works). But am having problems in base.

My understanding is that the openssl in base is compiled with ktls
support. For reading around, it seems I do need to enable it by
adding KTLS to the 'Options' directive in things like Apache,
but this doesn't seem to work.

I also tried adding it to /etc/ssl/openssl.cnf

I am checking to see if its working by making a connection and
then checking the value of kern.ipc.tls.stats.offload_total to
see if it increases. It does with GnuTLS, but it does not when I
use openssl s_client

I believe its actually parsing my options, because if I make a
deliberate typo it rejects them.

This is what I did in openssl.cnf

[openssl_init]
providers = provider_sect

# Add KTLS to the options
ssl_conf = local_ssl_conf

[local_ssl_conf]
ktls = local_ktls_conf

[local_ktls_conf]
Options = KTLS

and this is what I did in Apache

SSLOpenSSLConfCmd Options SessionTicket,ServerPreference,KTLS


but so far, the offload_total remains stubbornly static.
anyone got any hints?

thanks!

-pete.




--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-admin@muc.de
--- Synchronet 3.21a-Linux NewsLink 1.2

From Newsgroup: muc.lists.freebsd.stable

On Fri, Sep 12, 2025 at 1:08rC>PM Pete French <pete@twisted.org.uk> wrote:

Am running 14.3-STABLE form a few weeks ago, and I would rather like
to get KTLS working with the openssl in base. I have got it working
with GnuTLS form post easily enough (enable in the global config file
and it just works). But am having problems in base.

Is kern.ipc.tls.enable set non-zero on the system?
(You might also need kern.ipc.tls.cbc_enable=1 too?)
For the NFS-over-TLS, once that is done, it works.
(But I have not tested 14.3.)
The call BIO_get_ktls_send() tests to see if it enabled, but shouldn't
need to be done to enable it.
rick

My understanding is that the openssl in base is compiled with ktls
support. For reading around, it seems I do need to enable it by
adding KTLS to the 'Options' directive in things like Apache,
but this doesn't seem to work.

I also tried adding it to /etc/ssl/openssl.cnf

I am checking to see if its working by making a connection and
then checking the value of kern.ipc.tls.stats.offload_total to
see if it increases. It does with GnuTLS, but it does not when I
use openssl s_client

I believe its actually parsing my options, because if I make a
deliberate typo it rejects them.

This is what I did in openssl.cnf

[openssl_init]
providers = provider_sect

# Add KTLS to the options
ssl_conf = local_ssl_conf

[local_ssl_conf]
ktls = local_ktls_conf

[local_ktls_conf]
Options = KTLS

and this is what I did in Apache

SSLOpenSSLConfCmd Options SessionTicket,ServerPreference,KTLS

but so far, the offload_total remains stubbornly static.
anyone got any hints?

thanks!

-pete.

--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-admin@muc.de
--- Synchronet 3.21a-Linux NewsLink 1.2

From Newsgroup: muc.lists.freebsd.stable



On 12/09/2025 21:44, Rick Macklem wrote:

The call BIO_get_ktls_send() tests to see if it enabled, but shouldn't
need to be done to enable it.

Actually, this is interesting.

The sysctl kern.ipc.tls.stats.enable_calls increases
when using GnuTLS, but not OpenSSL. So, judging by the
name, it isn't making the call to enable it.

-pete.


--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-admin@muc.de
--- Synchronet 3.21a-Linux NewsLink 1.2

From Newsgroup: muc.lists.freebsd.stable



On 9/12/25 13:08, Pete French wrote:

Am running 14.3-STABLE form a few weeks ago, and I would rather like
to get KTLS working with the openssl in base. I have got it working
with GnuTLS form post easily enough (enable in the global config file
and it just works). But am having problems in base.

My understanding is that the openssl in base is compiled with ktls

support. For reading around, it seems I do need to enable it by
adding KTLS to the 'Options' directive in things like Apache,
but this doesn't seem to work.

just checking dumb things, ktls(4) man page states "OpenSSL in the base
system includes KTLS support when built with WITH_OPENSSL_KTLS." I
don't think that's a default knob?

-pete>
--
Pete Wright
pete@nomadlogic.org



--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-admin@muc.de
--- Synchronet 3.21a-Linux NewsLink 1.2

From Newsgroup: muc.lists.freebsd.stable

On Fri, Sep 12, 2025 at 2:24rC>PM Pete Wright <pete@nomadlogic.org> wrote:

On 9/12/25 13:08, Pete French wrote:

Am running 14.3-STABLE form a few weeks ago, and I would rather like
to get KTLS working with the openssl in base. I have got it working
with GnuTLS form post easily enough (enable in the global config file
and it just works). But am having problems in base.

My understanding is that the openssl in base is compiled with ktls

support. For reading around, it seems I do need to enable it by
adding KTLS to the 'Options' directive in things like Apache,
but this doesn't seem to work.

just checking dumb things, ktls(4) man page states "OpenSSL in the base system includes KTLS support when built with WITH_OPENSSL_KTLS." I
don't think that's a default knob?

For amd64 and aarch64 it should be. For other arches, it won't be.
(You can look in share/mk/src.opts.mk.)
rick

-pete>

--
Pete Wright
pete@nomadlogic.org

--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-admin@muc.de
--- Synchronet 3.21a-Linux NewsLink 1.2

From Newsgroup: muc.lists.freebsd.stable

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)

--=_e5feaedb13fd8d6956ecf55bd384048b
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset=US-ASCII;
format=flowed

Am 2025-09-12 22:08, schrieb Pete French:

Am running 14.3-STABLE form a few weeks ago, and I would rather like
to get KTLS working with the openssl in base. I have got it working
with GnuTLS form post easily enough (enable in the global config file
and it just works). But am having problems in base.

My understanding is that the openssl in base is compiled with ktls
support. For reading around, it seems I do need to enable it by
adding KTLS to the 'Options' directive in things like Apache,
but this doesn't seem to work.

I also tried adding it to /etc/ssl/openssl.cnf

I am checking to see if its working by making a connection and
then checking the value of kern.ipc.tls.stats.offload_total to
see if it increases. It does with GnuTLS, but it does not when I
use openssl s_client

I believe its actually parsing my options, because if I make a
deliberate typo it rejects them.

This is what I did in openssl.cnf

[openssl_init]
providers = provider_sect

# Add KTLS to the options
ssl_conf = local_ssl_conf

[local_ssl_conf]
ktls = local_ktls_conf

[local_ktls_conf]
Options = KTLS

and this is what I did in Apache

SSLOpenSSLConfCmd Options SessionTicket,ServerPreference,KTLS

but so far, the offload_total remains stubbornly static.
anyone got any hints?

For nginx it is "ssl_conf_command Options KTLS;", nothing in openssl.cnf needed then. No special build options for src, only
kern.ipc.tls.enable=1 in sysctl.conf.

Bye,
Alexander.
--
http://www.Leidinger.net Alexander@Leidinger.net: PGP 0x8F31830F9F2772BF http://www.FreeBSD.org netchild@FreeBSD.org : PGP 0x8F31830F9F2772BF

--=_e5feaedb13fd8d6956ecf55bd384048b
Content-Type: application/pgp-signature;
name=signature.asc
Content-Disposition: attachment;
filename=signature.asc;
size=833
Content-Description: OpenPGP digital signature

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEER9UlYXp1PSd08nWXEg2wmwP42IYFAmjFPZIACgkQEg2wmwP4 2Ia/Nw/+JYW7pMOAN5dXSW0hovcmQlbFejHLxvyafswUBArlMYFI5/I5GrlxWn5u BAsh3vhjT0K/zV6+FSVmXw0dsh+dKeLkUUC/m0jGiHVLgPLKvId/JNbP8fw+AV4M /XUfL4ZXfDXMjeD29WQlwrbmRzInzL2TvxAbUICtI3hYDJ3roe0jMvWGzoit72xl I42UTRh7vRZFfF7O4htrhIZZBvAYpr5DjxxzauPvwA8Vd5WBqQx1zmYEC/1UcGBM +TWpKo3QwHqqMO364si+DdvB/ydAjqcE1R5MZ+cvA5FaUnD4eA8hDrEpw8ogL+Sk fWhhokayMr7vimnWu2hYPuDcfOErtfUmFoi/4xBW9cw2wgmGFy3ZfhGKWYgbx5ER CaLZnYUitrHoDMrnPpn2Np+AH43Pzd4o6+1bjAtyJIzzc6BaY5DGHgZ4A4zip+5p kBEZwF9qv9x5Rsuxyq6gTi94jfaRcolCYi8z6sxRLxzDlQAPppv5BvG+i0XFGk1L VqguHmVnQFDXKwHKMeiIcCPsLDARIau86xsFDXt9xUV+rFGEavLXybB5jlOP91HZ WwUwNY4kRMAmcLDAOL69nAv2UAq7Li2SzJzPAPMKuD5T0qy3JtTZ7BolAh0mMPxe 4+Xx5v3VdxjNp5UqiZ790Yat704F5sUqJosnEvxUSjujUXVCFYo=
=ncmJ
-----END PGP SIGNATURE-----

--=_e5feaedb13fd8d6956ecf55bd384048b--


--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-admin@muc.de
--- Synchronet 3.21a-Linux NewsLink 1.2

From Newsgroup: muc.lists.freebsd.stable

(Sorry,)

Alexander Leidinger wrote in
<6c75d301df5e5743821a23e4e19c5efc@Leidinger.net>:
|Am 2025-09-12 22:08, schrieb Pete French:
...

I also tried adding it to /etc/ssl/openssl.cnf

...

I believe its actually parsing my options, because if I make a
deliberate typo it rejects them.

This is what I did in openssl.cnf

[openssl_init]
providers = provider_sect

# Add KTLS to the options
ssl_conf = local_ssl_conf

[local_ssl_conf]
ktls = local_ktls_conf

[local_ktls_conf]
Options = KTLS

and this is what I did in Apache

SSLOpenSSLConfCmd Options SessionTicket,ServerPreference,KTLS

...
|For nginx it is "ssl_conf_command Options KTLS;", nothing in openssl.cnf
|needed then. No special build options for src, only

but i *think* the *idea* was that an administrator becomes capable
to manage the security properties of "anything" in a single place.
So "not needded" is imho false wording, because you need to modify
a server configuration file with its own syntax, somewhere in the
filesystem.
(As it *could* be i am in parts hm responsible for Dr. Stephen
Henson implementing this in OpenSSL as one of the last big
from-scratch things he has done, before TLSv1.3 (and before
completely disappearing from any radar i know, which i find a
real loss), i wanted to remark that; unfortunately not many
servers followed this (yet), let alone normal programs. Likely
also because not all SSL libraries implemented it. I still
believe it is a great thing, just as is SSL_CONF_cmd(), since user
strings can simply be passed through, and dynamic libraries sail
the edge, and then users and admins can just go.)

--steffen
|
|Der Kragenbaer, The moon bear,
|der holt sich munter he cheerfully and one by one
|einen nach dem anderen runter wa.ks himself off
|(By Robert Gernhardt)


--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-admin@muc.de
--- Synchronet 3.21a-Linux NewsLink 1.2