W dniu 13.09.2025 o 11:46, Alexander Leidinger pisze:
Am 2025-09-12 22:08, schrieb Pete French:
Am running 14.3-STABLE form a few weeks ago, and I would rather like
to get KTLS working with the openssl in base. I have got it working
with GnuTLS form post easily enough (enable in the global config file
and it just works). But am having problems in base.
My understanding is that the openssl in base is compiled with ktls
support. For reading around, it seems I do need to enable it by
adding KTLS to the 'Options' directive in things like Apache,
but this doesn't seem to work.
I also tried adding it to /etc/ssl/openssl.cnf
I am checking to see if its working by making a connection and
then checking the value of kern.ipc.tls.stats.offload_total to
see if it increases. It does with GnuTLS, but it does not when I
use openssl s_client
I believe its actually parsing my options, because if I make a
deliberate typo it rejects them.
This is what I did in openssl.cnf
[openssl_init]
providers = provider_sect
# Add KTLS to the options
ssl_conf = local_ssl_conf
[local_ssl_conf]
ktls = local_ktls_conf fds
[local_ktls_conf]
Options = KTLS
and this is what I did in Apache
SSLOpenSSLConfCmd Options SessionTicket,ServerPreference,KTLS
but so far, the offload_total remains stubbornly static.
anyone got any hints?
For nginx it is "ssl_conf_command Options KTLS;", nothing in
openssl.cnf needed then. No special build options for src, only
kern.ipc.tls.enable=1 in sysctl.conf.
Bye,
Alexander.
Please don’t expect Apache 2.4 to benefit from KTLS[1]. Nginx is proven
to work since a few years. If you want to check whether KTLS is active
(for Nginx or another application), watch the
kern.ipc.tls.stats.ocf statistics.
1. https://reviews.freebsd.org/D28932
--
Marek Zarychta
