Main index | Section 4 | Options |
ktls only permits the session keys to be set once in each direction. As a result, applications must disable rekeying when using ktls.
TCP_TLS_MODE_NONE | ktls is not enabled. |
TCP_TLS_MODE_SW | TLS records are encrypted or decrypted in the kernel in the socket layer. Typically the encryption or decryption is performed in software, but it may also be performed by co-processors via crypto(9). |
TCP_TLS_MODE_IFNET |
TLS records are encrypted or decrypted by the network interface card (NIC).
In this mode, the network stack does not work with encrypted data.
Instead, the NIC encrypts TLS records as they are being transmitted,
or decrypts received TLS records before providing them to the host.
Network interfaces which support this feature will advertise the TXTLS4 (for IPv4) and/or TXTLS6 (for IPv6) capabilities as reported by ifconfig(8). These capabilities can also be controlled by ifconfig(8). If a network interface supports rate limiting (also known as packet pacing) for TLS offload, the interface will advertise the TXTLS_RTLMT capability. |
TCP_TLS_MODE_TOE | TLS records are encrypted by the NIC using a TCP offload engine (TOE). This is similar to TCP_TLS_MODE_IFNET in that the network stack does not work with encrypted data. However, this mode works in tandem with a TOE to handle interactions between TCP and TLS. |
TLS transmit requires the use of unmapped mbufs. Unmapped mbufs are not enabled by default, but can be enabled by setting the kern.ipc.mb_use_ext_pgs sysctl node to 1.
The current TLS transmit mode of a socket can be queried via the TCP_TXTLS_MODE socket option. A socket using TLS transmit offload can also set the TCP_TXTLS_MODE socket option to toggle between TCP_TLS_MODE_SW and TCP_TLS_MODE_IFNET.
[EINVAL] | |
The version fields in a TLS record's header did not match the version required by the struct tls_enable structure used to enable in-kernel TLS. | |
[EMSGSIZE] | |
A TLS record's length was either too small or too large. | |
[EMSGSIZE] | |
The connection was closed after sending a truncated TLS record. | |
[EBADMSG] | |
The TLS record failed to match the included authentication tag. | |
The current TLS receive mode of a socket can be queried via the TCP_RXTLS_MODE socket option. At present, the mode cannot be changed.
kern.ipc.tls.enable | |
Determines if new kernel TLS sessions can be created. | |
kern.ipc.tls.cbc_enable | |
Determines if new kernel TLS sessions with a cipher suite using AES-CBC can be created. | |
kern.ipc.tls.sw | |
A tree of nodes containing statistics for TLS sessions using TCP_TLS_MODE_SW. | |
kern.ipc.tls.ifnet | |
A tree of nodes containing statistics for TLS sessions using TCP_TLS_MODE_IFNET. | |
kern.ipc.tls.toe | |
A tree of nodes containing statistics for TLS sessions using TCP_TLS_MODE_TOE. | |
kern.ipc.tls.stats | |
A tree of nodes containing various kernel TLS statistics. | |
The cxgbe(4) and mlx5en(4) drivers include support for the TCP_TLS_MODE_IFNET mode.
The cxgbe(4) driver includes support for the TCP_TLS_MODE_TOE mode.
Applications using a supported library should generally work with ktls without any changes provided they use standard interfaces such as SSL_read(3) and SSL_write(3). Additional performance may be gained by the use of SSL_sendfile(3).
KTLS (4) | March 8, 2021 |
Main index | Section 4 | Options |
Please direct any comments about this manual page service to Ben Bullock. Privacy policy.
“ | Using Unix is the computing equivalent of listening only to music by David Cassidy | ” |
— Rob Pike |