Page MenuHomeFreeBSD

OpenSSL: Only enable KTLS if it is explicitly configured
ClosedPublic

Authored by jhb on Aug 6 2021, 11:37 PM.
Tags
None
Referenced Files
Unknown Object (File)
Thu, Nov 7, 8:52 PM
Unknown Object (File)
Sat, Oct 19, 5:00 AM
Unknown Object (File)
Sat, Oct 19, 4:57 AM
Unknown Object (File)
Fri, Oct 18, 9:06 AM
Unknown Object (File)
Thu, Oct 17, 8:46 AM
Unknown Object (File)
Wed, Oct 16, 1:10 PM
Unknown Object (File)
Mon, Oct 14, 7:37 PM
Unknown Object (File)
Mon, Oct 14, 3:51 AM

Details

Summary

It has always been the case that KTLS is not compiled by default. However
if it is compiled then it was automatically used unless specifically
configured not to. This is problematic because it avoids any crypto
implementations from providers. A user who configures all crypto to use
the FIPS provider may unexpectedly find that TLS related crypto is actually
being performed outside of the FIPS boundary.

Instead we change KTLS so that it is disabled by default.

We also swap to using a single "option" (i.e. SSL_OP_ENABLE_KTLS) rather
than two separate "modes", (i.e. SSL_MODE_NO_KTLS_RX and
SSL_MODE_NO_KTLS_TX).

Obtained from: OpenSSL (a3a54179b6754fbed6d88e434baac710a83aaf80)
Sponsored by: Netflix
MFC after: 1 month

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

This revision was not accepted when it landed; it landed in state Needs Review.Aug 17 2021, 9:46 PM
This revision was automatically updated to reflect the committed changes.

Will the MFC to stable/13 of this change unbreak not working kTLS in this branch? It looks like after recent OpenSSL upgrade kTLS stoped working here. Now stable/13 in the base system has OpenSSL 1.1.1l-freebsd 24 Aug 2021 is installed and despite the fact it was built with WITH_OPENSSL_KTLS=yes and enabled ,all kTLS related stats are empty:
kern.ipc.tls.stats.ocf.tls13_gcm_crypts: 0
kern.ipc.tls.stats.ocf.tls12_gcm_crypts: 0
kern.ipc.tls.stats.ocf.tls11_cbc_crypts: 0
kern.ipc.tls.stats.ocf.tls10_cbc_crypts: 0

This change was already MFC'd to stable/13. Note that because of this change, you now need to enable KTLS explicitly as an SSL option. One way is to use a config file (and in a followup to the commit to main I gave an example config file which does this).

In D31440#723967, @jhb wrote:

This change was already MFC'd to stable/13. Note that because of this change, you now need to enable KTLS explicitly as an SSL option. One way is to use a config file (and in a followup to the commit to main I gave an example config file which does this).

Thank you for the answer. So OpenSSL 1.1.1l-freebsd 24 Aug 2021 which is now in the base system of stable/13, which was built with WITH_OPENSSL_KTLS=yes and enabled by settings these sysctls:
kern.ipc.mb_use_ext_pgs=1
kern.ipc.tls.ifnet.permitted=1
kern.ipc.tls.enable=1

with these settings in /etc/ssl/openssl.cnf

openssl_conf = openssl_init
[ openssl_init ]
ssl_conf = ssl_sect
[ ssl_sect ]
system_default = system_default_sect
[ system_default_sect ]
Options = KTLS

should work as before? Am I missing anything? I am still not able to make it working as it used to before late upgrades performed by late summer.

I am sorry for the noise. Everything works fine. It looks like /etc/ssl/openssl.cnf was a bit overweight and busted.

No worries, glad it is working for you. I will likely default WITH_OPENSSL_KTLS to on in stable/13 in the near future so that 13.1 includes KTLS support in OpenSSL by default.