Date: Tue, 24 Aug 2021 01:01:44 GMT From: John Baldwin <jhb@FreeBSD.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org Subject: git: df8406ca0f05 - stable/13 - nfs tls: Update for SSL_OP_ENABLE_KTLS. Message-ID: <202108240101.17O11i9B026198@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help
The branch stable/13 has been updated by jhb: URL: https://cgit.FreeBSD.org/src/commit/?id=df8406ca0f053649dbd6a808486141a11bb4c3a8 commit df8406ca0f053649dbd6a808486141a11bb4c3a8 Author: John Baldwin <jhb@FreeBSD.org> AuthorDate: 2021-08-10 21:18:43 +0000 Commit: John Baldwin <jhb@FreeBSD.org> CommitDate: 2021-08-24 00:59:34 +0000 nfs tls: Update for SSL_OP_ENABLE_KTLS. Upstream OpenSSL (and the KTLS backport) have switched to an opt-in option (SSL_OP_ENABLE_KTLS) in place of opt-out modes (SSL_MODE_NO_KTLS_TX and SSL_MODE_NO_KTLS_RX) for controlling kernel TLS. Reviewed by: rmacklem Sponsored by: Netflix Differential Revision: https://reviews.freebsd.org/D31445 (cherry picked from commit c7bb0f47f721a2095ed6100bca595ba68fa5645a) --- usr.sbin/rpc.tlsclntd/rpc.tlsclntd.c | 5 +++++ usr.sbin/rpc.tlsservd/rpc.tlsservd.c | 5 +++++ 2 files changed, 10 insertions(+) diff --git a/usr.sbin/rpc.tlsclntd/rpc.tlsclntd.c b/usr.sbin/rpc.tlsclntd/rpc.tlsclntd.c index af803f203ffd..5e66f4b4b2dd 100644 --- a/usr.sbin/rpc.tlsclntd/rpc.tlsclntd.c +++ b/usr.sbin/rpc.tlsclntd/rpc.tlsclntd.c @@ -573,9 +573,14 @@ rpctls_setupcl_ssl(void) SSL_OP_NO_TLSv1_1 | SSL_OP_NO_TLSv1_2; #else flags = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1_3; +#endif +#ifdef SSL_OP_ENABLE_KTLS + flags |= SSL_OP_ENABLE_KTLS; #endif SSL_CTX_set_options(ctx, flags); +#ifdef SSL_MODE_NO_KTLS_TX SSL_CTX_clear_mode(ctx, SSL_MODE_NO_KTLS_TX | SSL_MODE_NO_KTLS_RX); +#endif return (ctx); } diff --git a/usr.sbin/rpc.tlsservd/rpc.tlsservd.c b/usr.sbin/rpc.tlsservd/rpc.tlsservd.c index 1c7687cad87a..71787b162acd 100644 --- a/usr.sbin/rpc.tlsservd/rpc.tlsservd.c +++ b/usr.sbin/rpc.tlsservd/rpc.tlsservd.c @@ -636,7 +636,12 @@ rpctls_setup_ssl(const char *certdir) SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, rpctls_verify_callback); } +#ifdef SSL_OP_ENABLE_KTLS + SSL_CTX_set_options(ctx, SSL_OP_ENABLE_KTLS); +#endif +#ifdef SSL_MODE_NO_KTLS_TX SSL_CTX_clear_mode(ctx, SSL_MODE_NO_KTLS_TX | SSL_MODE_NO_KTLS_RX); +#endif return (ctx); }
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202108240101.17O11i9B026198>