Re: Getting started with ktls

From: Rick Macklem <rmacklem_at_uoguelph.ca>
Date: Wed, 17 Mar 2021 20:39:02 +0000
J. wrote:
>On Tue, Mar 16, 2021 at 11:46:27PM +0000, Rick Macklem wrote:
>>Well, if you do "sysctl -a | fgrep kern.ipc.tls.stats" and it is working,
>>you should see the count for at least one of the "crypts" ticking up.
>>If they are all zero, it isn't working. That might depend on the apps
>>or setup and does not necessarily indicate broken.
>
>OK. it's "not working" by those criteria on the stable/13 rpi4.
>This one has mutt (imaps) and lynx (https) installed. mutt appears to
>use tlsv1.3 to connect with my email provider.
I know that the receive direction only works for TLS1.2. Not sure
about the xmit direction?

Make sure you've done the following:
 ktls_ocf - is loaded
these sysctls are set to 1
kern.ipc.tls.enable
kern.ipc.mb_use_ext_pgs

Beyond that, it will take someone more knowledgible to figure
out if it can work for these apps?
(To be honest, for userspace applications I'm not sure there is
 any advantage to using KTLS unless you have specialized
 hardware.

rick

>Trying the nfs-over-tls should definitely test it. When it works, the
>data on the wire after the first couple of Null RPCs is encrypted.
>Also, if you start the daemons with "-v",

This is what i'll try once buildworld etc completes on the main/14 rpi4.
--
J.

Received on Wed Mar 17 2021 - 19:39:05 UTC

This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:41:27 UTC