J. wrote: >On Sun, Mar 14, 2021 at 08:55:18PM +0000, Rick Macklem wrote: >>Alan explains how to set it up, below. >>However, I thought I'd note that maybe one person has tested KTLS >>on arm64, so you should consider doing this for test purposes only. >>If you do do some testing, please post with your results, >>success or failure. >> >>>It's present in current kernels for both 13 and 14, amd64 and aarch64. >>>However, it's not present in 13's openssl. To use it, you must either >>>rebuild world with WITH_OPENSSL_KTLS=YES in /etc/src.conf, > >>Doing it this way means that everything linked to OpenSSL will use >>it. Probably a better testsituation, but expect at least the apache >>server to break. (Most breakage was fixed by a recent patch to the >>serf library, but I think the apache server is still broken. > >OK, it's been built and all ports recompiled and reinstalled. Things >that use openssl on this machine are mutt (imaps) lynx (https) and >nginx (https) and py-certbot. They all seem to work. How would I test? Well, if you do "sysctl -a | fgrep kern.ipc.tls.stats" and it is working, you should see the count for at least one of the "crypts" ticking up. If they are all zero, it isn't working. That might depend on the apps or setup and does not necessarily indicate broken. Trying the nfs-over-tls should definitely test it. When it works, the data on the wire after the first couple of Null RPCs is encrypted. Also, if you start the daemons with "-v", then it will log how the handshake etc. goes in /var/log/daemon.log. rick thanks, -- J.Received on Tue Mar 16 2021 - 22:46:31 UTC
This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:41:27 UTC