Ronald Klop wrote: >On Wed, 20 Jan 2021 21:21:15 +0100, Neel Chauhan <nc_at_freebsd.org> wrote: > >> Hi freebsd-current_at_, >> >> I know that In-Kernel TLS was merged into the FreeBSD HEAD tree a while >> back. >> >> With 13.0-RELEASE around the corner, I'm thinking about upgrading my >> home server, well if I can accelerate any SSL application. >> >> I'm asking because I have a home server on a symmetrical Gigabit >> connection (Google Fiber/Webpass), and that server runs a Tor relay. If >> you're interested in how Tor works, the EFF has a writeup: >> https://www.eff.org/pages/what-tor-relay >> >> But the main point for you all is: more-or-less Tor relays deal with >> 1000s TLS connections going into and out of the server. >> >> Would In-Kernel TLS help with an application like Tor (or even load >> balancers/TLS termination), or is it more for things like web servers >> sending static files via sendfile() (e.g. CDN used by Netflix). >> >> My server could also work with Intel's QuickAssist (since it has an >> Intel Xeon "Scalable" CPU). Would QuickAssist SSL be more helpful here? There is now qat(4), which KTLS should be able to use, but I do not think it has been tested for this. I also have no idea if it can be used effectively for userland encryption? >> >> I'm asking since I don't know whether to upgrade my home server to 13.x >> or leave it at 12.x. Yes, I do know we need a special OpenSSL to use >> kTLS. >> >> -Neel I cannot answer your main question. All I can tell you is this... KTLS works very well for NFS, but that is, at least in part, because the data never needs to move up to userspace. For server side read, the data is read into anonymous pages by VOP_READ() and then those are handed to the socket hanging off of MEXTPG mbufs. The KTLS then creates/encrypts the application data records that go on the wire. Since I assume Tor does SSL_write() or similar in userspace, the question becomes "is doing the encryption in the kernel instead of userspace going to perform better?". For something like a Chelsio-T6, I'd guess yes. For software encryption, I have no idea? The KTLS software encryption creates one kernel thread per CPU and then sockets that are KTLS enabled are assigned to one of these threads. Does this help w.r.t. your load balancing issue? Again, I have no idea. >According to the history of the openssl port it has support for KTLS. >https://www.freshports.org/security/openssl >I don't know about the openssl in base. I believe both openssl and openssl-devel in ports have the KTLS support in them, although you might need to click on "KTLS" during the port build to enable it. (I use openssl-devel, which is OpenSSL3, still in alpha test, but seems to work well.) openssl in base does not have KTLS support, as far as I know. >But I think for Tor to support KTLS it needs to implement some things >itself. More information about that could be asked at the maintainer of >the port (https://www.freshports.org/security/tor/) or upstream at the Tor >project. To just make it work, I don't think changes are needed beyond linking to the correct OpenSSL libraries (assuming it uses OpenSSL, of course). (There are new library calls an application can use to check to see if KTLS is enabled for the connection, but if it doesn't care, I don't think those calls are needed?) You do need to run a kernel with "options KERN_TLS" and set kern.ipc.tls.enable=1 kern.ipc.mb_use_ext_pgs=1 rick Regards, Ronald. _______________________________________________ freebsd-current_at_freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscribe_at_freebsd.org"Received on Sat Jan 23 2021 - 14:26:09 UTC
This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:41:26 UTC