Re: Getting started with ktls

From: Rick Macklem <rmacklem_at_uoguelph.ca>
Date: Sun, 14 Mar 2021 20:55:18 +0000
[stuff snipped]
> J. wrote:
>>
>> I'd like to have it (ktls) available on the ARM64
>> stable/13-n244876-0b45290603b. Is it just a matter of adding the option,
>> and then the sysctls become available? Is it "better" with openssl[-devel]
>> in ports or openssl in base?
>>
>> thanks,
>> --
>> J.\
Alan explains how to set it up, below.
However, I thought I'd note that maybe one person has tested KTLS
on arm64, so you should consider doing this for test purposes only.
If you do do some testing, please post with your results,
success or failure.

>It's present in current kernels for both 13 and 14, amd64 and aarch64.
>However, it's not present in 13's openssl.  To use it, you must either
>rebuild world with  WITH_OPENSSL_KTLS=YES in /etc/src.conf,
Doing it this way means that everything linked to OpenSSL will use
it. Probably a better testsituation, but expect at least the apache
server to break. (Most breakage was fixed by a recent patch to the
serf library, but I think the apache server is still broken.

>(or) install
>security/openssl-devel from pkg, or built security/openssl from ports with
>the KTLS option enabled.  I don't know if any version of openssl is
>"better" than another.  The sysctls should be available in any case.
Only applications built using includes from /usr/local/include and
linked to libraries in /usr/local/lib will use it for these cases.

If you want to try NFS-over-TLS, see this:
https://people.freebsd.org/~rmacklem/nfs-over-tls-setup.txt

Please let us know if you try it, rick

-Alan
_______________________________________________
freebsd-current_at_freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-current-unsubscribe_at_freebsd.org"


Received on Sun Mar 14 2021 - 19:55:27 UTC

This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:41:27 UTC