From 69e732ab6f9da866867a355fd88ebfa453531344 Mon Sep 17 00:00:00 2001
From: Kevin Lin <developer@kevinlin.info>
Date: Wed, 6 Apr 2022 19:39:48 -0700
Subject: tls: Add switch to opt-in to kernel TLS on OpenSSL 3.0.0+

---
 memcached.c | 8 ++++++++
 1 file changed, 8 insertions(+)

(limited to 'memcached.c')

diff --git a/memcached.c b/memcached.c
index 6623dec..41518d2 100644
--- a/memcached.c
+++ b/memcached.c
@@ -233,6 +233,7 @@ static void settings_init(void) {
     settings.ssl_last_cert_refresh_time = current_time;
     settings.ssl_wbuf_size = 16 * 1024; // default is 16KB (SSL max frame size is 17KB)
     settings.ssl_session_cache = false;
+    settings.ssl_kernel_tls = false;
     settings.ssl_min_version = TLS1_2_VERSION;
 #endif
     /* By default this string should be NULL for getaddrinfo() */
@@ -1976,6 +1977,7 @@ void process_stat_settings(ADD_STAT add_stats, void *c) {
     APPEND_STAT("ssl_ca_cert", "%s", settings.ssl_ca_cert ? settings.ssl_ca_cert : "NULL");
     APPEND_STAT("ssl_wbuf_size", "%u", settings.ssl_wbuf_size);
     APPEND_STAT("ssl_session_cache", "%s", settings.ssl_session_cache ? "yes" : "no");
+    APPEND_STAT("ssl_kernel_tls", "%s", settings.ssl_kernel_tls ? "yes" : "no");
     APPEND_STAT("ssl_min_version", "%s", ssl_proto_text(settings.ssl_min_version));
 #endif
 #ifdef PROXY
@@ -4069,6 +4071,7 @@ static void usage(void) {
            "                          (default: %u)\n", settings.ssl_wbuf_size / (1 << 10));
     printf("   - ssl_session_cache:   enable server-side SSL session cache, to support session\n"
            "                          resumption\n"
+           "   - ssl_kernel_tls:      enable kernel TLS offload\n"
            "   - ssl_min_version:     minimum protocol version to accept (default: %s)\n"
 #if defined(TLS1_3_VERSION)
            "                          valid values are 0(%s), 1(%s), 2(%s), or 3(%s).\n",
@@ -4743,6 +4746,7 @@ int main (int argc, char **argv) {
         SSL_CA_CERT,
         SSL_WBUF_SIZE,
         SSL_SESSION_CACHE,
+        SSL_KERNEL_TLS,
         SSL_MIN_VERSION,
 #endif
 #ifdef PROXY
@@ -4802,6 +4806,7 @@ int main (int argc, char **argv) {
         [SSL_CA_CERT] = "ssl_ca_cert",
         [SSL_WBUF_SIZE] = "ssl_wbuf_size",
         [SSL_SESSION_CACHE] = "ssl_session_cache",
+        [SSL_KERNEL_TLS] = "ssl_kernel_tls",
         [SSL_MIN_VERSION] = "ssl_min_version",
 #endif
 #ifdef PROXY
@@ -5483,6 +5488,9 @@ int main (int argc, char **argv) {
             case SSL_SESSION_CACHE:
                 settings.ssl_session_cache = true;
                 break;
+            case SSL_KERNEL_TLS:
+                settings.ssl_kernel_tls = true;
+                break;
             case SSL_MIN_VERSION: {
                 int min_version;
                 if (subopts_value == NULL) {
-- 
cgit v1.2.1