Am 2025-09-12 22:08, schrieb Pete French:
Am running 14.3-STABLE form a few weeks ago, and I would rather like to get KTLS working with the openssl in base. I have got it working with GnuTLS form post easily enough (enable in the global config file and it just works). But am having problems in base.My understanding is that the openssl in base is compiled with ktls support. For reading around, it seems I do need to enable it by adding KTLS to the 'Options' directive in things like Apache, but this doesn't seem to work. I also tried adding it to /etc/ssl/openssl.cnf I am checking to see if its working by making a connection and then checking the value of kern.ipc.tls.stats.offload_total to see if it increases. It does with GnuTLS, but it does not when I use openssl s_client I believe its actually parsing my options, because if I make a deliberate typo it rejects them. This is what I did in openssl.cnf [openssl_init] providers = provider_sect # Add KTLS to the options ssl_conf = local_ssl_conf [local_ssl_conf] ktls = local_ktls_conf [local_ktls_conf] Options = KTLS and this is what I did in Apache SSLOpenSSLConfCmd Options SessionTicket,ServerPreference,KTLS but so far, the offload_total remains stubbornly static. anyone got any hints?
For nginx it is "ssl_conf_command Options KTLS;", nothing in openssl.cnf needed then. No special build options for src, only kern.ipc.tls.enable=1 in sysctl.conf.
Bye, Alexander. -- http://www.Leidinger.net [email protected]: PGP 0x8F31830F9F2772BF http://www.FreeBSD.org [email protected] : PGP 0x8F31830F9F2772BF
signature.asc
Description: OpenPGP digital signature
