diff options
| author | Boris Pismenny <borisp@mellanox.com> | 2017-06-01 09:25:47 +0300 |
|---|---|---|
| committer | Matt Caswell <matt@openssl.org> | 2018-12-07 11:25:45 +0000 |
| commit | 50ec750567e056fcecff2344c2d9044d81cc731b (patch) | |
| tree | c4da98b9c0a4fa6f528a74914fde3d21bc38b80a /doc/man3/SSL_CTX_set_mode.pod | |
| parent | ecd1557fb4589103316c65b1fd1d4217a30900c0 (diff) | |
| download | openssl-new-50ec750567e056fcecff2344c2d9044d81cc731b.tar.gz | |
ssl: Linux TLS Tx Offload
This patch adds support for the Linux TLS Tx socket option.
If the socket option is successful, then the data-path of the TCP socket
is implemented by the kernel.
We choose to set this option at the earliest - just after CCS is complete.
Signed-off-by: Boris Pismenny <borisp@mellanox.com>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Paul Yang <yang.yang@baishancloud.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5253)
Diffstat (limited to 'doc/man3/SSL_CTX_set_mode.pod')
| -rw-r--r-- | doc/man3/SSL_CTX_set_mode.pod | 17 |
1 files changed, 17 insertions, 0 deletions
diff --git a/doc/man3/SSL_CTX_set_mode.pod b/doc/man3/SSL_CTX_set_mode.pod index 8c3b760411..de4d5f26ac 100644 --- a/doc/man3/SSL_CTX_set_mode.pod +++ b/doc/man3/SSL_CTX_set_mode.pod @@ -105,6 +105,22 @@ Enable asynchronous processing. TLS I/O operations may indicate a retry with SSL_ERROR_WANT_ASYNC with this mode set if an asynchronous capable engine is used to perform cryptographic operations. See L<SSL_get_error(3)>. +=item SSL_MODE_NO_KTLS_TX + +Disable the use of the kernel TLS egress data-path. +By default kernel TLS is enabled if it is supported by the negotiated ciphersuites +and extensions and OpenSSL has been compiled with support for it. +The kernel TLS data-path implements the record layer, +and the crypto algorithm. The kernel will utilize the best hardware +available for crypto. Using the kernel data-path should reduce the memory +footprint of OpenSSL because no buffering is required. Also, the throughput +should improve because data copy is avoided when user data is encrypted into +kernel memory instead of the usual encrypt than copy to kernel. + +Kernel TLS might not support all the features of OpenSSL. For instance, +renegotiation, and setting the maximum fragment size is not possible as of +Linux 4.20. + =back All modes are off by default except for SSL_MODE_AUTO_RETRY which is on by @@ -125,6 +141,7 @@ L<SSL_write(3)>, L<SSL_get_error(3)> =head1 HISTORY SSL_MODE_ASYNC was first added to OpenSSL 1.1.0. +SSL_MODE_NO_KTLS_TX was first added to OpenSSL 3.0.0. =head1 COPYRIGHT |