diff options
author | Matt Caswell <matt@openssl.org> | 2021-04-07 19:36:45 +0100 |
---|---|---|
committer | Matt Caswell <matt@openssl.org> | 2021-04-12 11:32:05 +0100 |
commit | 6878f4300213cfd7d4f01e26a8b97f70344da100 (patch) | |
tree | 029af3058e0bead17df24a1e0bbc36ec4a914a53 /doc | |
parent | a3a54179b6754fbed6d88e434baac710a83aaf80 (diff) | |
download | openssl-6878f4300213cfd7d4f01e26a8b97f70344da100.tar.gz |
Update KTLS documentation
KTLS support has been changed to be off by default, and configuration is
via a single "option" rather two "modes". Documentation is updated
accordingly.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14799)
Diffstat (limited to 'doc')
-rw-r--r-- | doc/man3/SSL_CONF_cmd.pod | 4 | ||||
-rw-r--r-- | doc/man3/SSL_CTX_set_mode.pod | 17 | ||||
-rw-r--r-- | doc/man3/SSL_CTX_set_options.pod | 23 |
3 files changed, 27 insertions, 17 deletions
diff --git a/doc/man3/SSL_CONF_cmd.pod b/doc/man3/SSL_CONF_cmd.pod index 97ebff047f..3fd1924de6 100644 --- a/doc/man3/SSL_CONF_cmd.pod +++ b/doc/man3/SSL_CONF_cmd.pod @@ -524,6 +524,10 @@ B<CANames>: use CA names extension, enabled by default. Inverse of B<SSL_OP_DISABLE_TLSEXT_CA_NAMES>: that is, B<-CANames> is the same as setting B<SSL_OP_DISABLE_TLSEXT_CA_NAMES>. +B<KTLS>: Enables kernel TLS if support has been compiled in, and it is supported +by the negotiated ciphersuites and extensions. Equivalent to +B<SSL_OP_ENABLE_KTLS>. + =item B<VerifyMode> The B<value> argument is a comma separated list of flags to set. diff --git a/doc/man3/SSL_CTX_set_mode.pod b/doc/man3/SSL_CTX_set_mode.pod index a814022d3c..39b5e1906f 100644 --- a/doc/man3/SSL_CTX_set_mode.pod +++ b/doc/man3/SSL_CTX_set_mode.pod @@ -105,22 +105,6 @@ Enable asynchronous processing. TLS I/O operations may indicate a retry with SSL_ERROR_WANT_ASYNC with this mode set if an asynchronous capable engine is used to perform cryptographic operations. See L<SSL_get_error(3)>. -=item SSL_MODE_NO_KTLS_TX - -Disable the use of the kernel TLS egress data-path. -By default kernel TLS is enabled if it is supported by the negotiated ciphersuites -and extensions and OpenSSL has been compiled with support for it. -The kernel TLS data-path implements the record layer, -and the crypto algorithm. The kernel will utilize the best hardware -available for crypto. Using the kernel data-path should reduce the memory -footprint of OpenSSL because no buffering is required. Also, the throughput -should improve because data copy is avoided when user data is encrypted into -kernel memory instead of the usual encrypt than copy to kernel. - -Kernel TLS might not support all the features of OpenSSL. For instance, -renegotiation, and setting the maximum fragment size is not possible as of -Linux 4.20. - =item SSL_MODE_DTLS_SCTP_LABEL_LENGTH_BUG Older versions of OpenSSL had a bug in the computation of the label length @@ -150,7 +134,6 @@ L<SSL_write(3)>, L<SSL_get_error(3)> =head1 HISTORY SSL_MODE_ASYNC was added in OpenSSL 1.1.0. -SSL_MODE_NO_KTLS_TX was added in OpenSSL 3.0. =head1 COPYRIGHT diff --git a/doc/man3/SSL_CTX_set_options.pod b/doc/man3/SSL_CTX_set_options.pod index 68a1552430..2212e8aca3 100644 --- a/doc/man3/SSL_CTX_set_options.pod +++ b/doc/man3/SSL_CTX_set_options.pod @@ -279,6 +279,29 @@ responsible for cleansing all other buffers. Most notably, this applies to buffers passed to functions like L<SSL_read(3)>, L<SSL_peek(3)> but also like L<SSL_write(3)>. +=item SSL_OP_ENABLE_KTLS + +Enable the use of kernel TLS. In order to benefit from kernel TLS OpenSSL must +have been compiled with support for it, and it must be supported by the +negotiated ciphersuites and extensions. The specific ciphersuites and extensions +that are supported may vary by platform and kernel version. + +The kernel TLS data-path implements the record layer, and the encryption +algorithm. The kernel will utilize the best hardware +available for encryption. Using the kernel data-path should reduce the memory +footprint of OpenSSL because no buffering is required. Also, the throughput +should improve because data copy is avoided when user data is encrypted into +kernel memory instead of the usual encrypt then copy to kernel. + +Kernel TLS might not support all the features of OpenSSL. For instance, +renegotiation, and setting the maximum fragment size is not possible as of +Linux 4.20. + +Note that with kernel TLS enabled some cryptographic operations are performed +by the kernel directly and not via any available OpenSSL Providers. This might +be undesirable if, for example, the application requires all cryptographic +operations to be performed by the FIPS provider. + =back The following options no longer have any effect but their identifiers are |