You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@trafficserver.apache.org by ma...@apache.org on 2021/11/30 11:56:10 UTC
[trafficserver] branch master updated: Add a knob to enable kTLS (#8526)
This is an automated email from the ASF dual-hosted git repository.
maskit pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/trafficserver.git
The following commit(s) were added to refs/heads/master by this push:
new a7d2539 Add a knob to enable kTLS (#8526)
a7d2539 is described below
commit a7d253924a655d55212e4690f04452e219b19cbb
Author: Masakazu Kitajo <ma...@apache.org>
AuthorDate: Tue Nov 30 20:55:57 2021 +0900
Add a knob to enable kTLS (#8526)
* Add a knob to enable kTLS
This adds proxy.config.ssl.ktls.enabled to enable kTLS. With the setting
enabled, ATS passes SSL_OP_ENABLE_KTLS to OpenSSL.
* Check kTLS availability on runtime
---
doc/admin-guide/files/records.config.en.rst | 12 ++++++++++++
iocore/net/P_SSLConfig.h | 2 ++
iocore/net/P_SSLUtils.h | 1 +
iocore/net/SSLConfig.cc | 8 ++++++++
iocore/net/SSLNetVConnection.cc | 4 ++--
iocore/net/SSLUtils.cc | 19 +++++++++++++++++++
mgmt/RecordsConfig.cc | 2 ++
7 files changed, 46 insertions(+), 2 deletions(-)
diff --git a/doc/admin-guide/files/records.config.en.rst b/doc/admin-guide/files/records.config.en.rst
index fe28768..2c155b1 100644
--- a/doc/admin-guide/files/records.config.en.rst
+++ b/doc/admin-guide/files/records.config.en.rst
@@ -3806,6 +3806,18 @@ SSL Termination
This feature is disabled by default.
+.. ts:cv:: CONFIG proxy.config.ssl.ktls.enabled INT 0
+
+ Enables the use of Kernel TLS. This configuration requires OpenSSL v3.0 and
+ above, and it must have been compiled with support for Kernel TLS.
+
+ ===== ======================================================================
+ Value Description
+ ===== ======================================================================
+ ``0`` Disables the use of Kernel TLS.
+ ``1`` Enables the use of Kernel TLS..
+ ===== ======================================================================
+
Client-Related Configuration
----------------------------
diff --git a/iocore/net/P_SSLConfig.h b/iocore/net/P_SSLConfig.h
index 8e92525..2018c34 100644
--- a/iocore/net/P_SSLConfig.h
+++ b/iocore/net/P_SSLConfig.h
@@ -108,6 +108,8 @@ struct SSLConfigParams : public ConfigInfo {
char *keylog_file;
+ static bool ssl_ktls_enabled;
+
static uint32_t server_max_early_data;
static uint32_t server_recv_max_early_data;
static bool server_allow_early_data_params;
diff --git a/iocore/net/P_SSLUtils.h b/iocore/net/P_SSLUtils.h
index 4215644..6452d7f 100644
--- a/iocore/net/P_SSLUtils.h
+++ b/iocore/net/P_SSLUtils.h
@@ -224,6 +224,7 @@ private:
virtual bool _set_npn_callback(SSL_CTX *ctx);
virtual bool _set_alpn_callback(SSL_CTX *ctx);
virtual bool _set_keylog_callback(SSL_CTX *ctx);
+ virtual bool _enable_ktls(SSL_CTX *ctx);
};
// Create a new SSL server context fully configured (cert and keys are optional).
diff --git a/iocore/net/SSLConfig.cc b/iocore/net/SSLConfig.cc
index 830ae1c..a25b9f6 100644
--- a/iocore/net/SSLConfig.cc
+++ b/iocore/net/SSLConfig.cc
@@ -76,6 +76,7 @@ size_t SSLConfigParams::session_cache_max_bucket_size = 100;
init_ssl_ctx_func SSLConfigParams::init_ssl_ctx_cb = nullptr;
load_ssl_file_func SSLConfigParams::load_ssl_file_cb = nullptr;
IpMap *SSLConfigParams::proxy_protocol_ipmap = nullptr;
+bool SSLConfigParams::ssl_ktls_enabled = false;
const uint32_t EARLY_DATA_DEFAULT_SIZE = 16384;
uint32_t SSLConfigParams::server_max_early_data = 0;
@@ -433,6 +434,13 @@ SSLConfigParams::initialize()
TLSKeyLogger::enable_keylogging(keylog_file);
}
+ REC_ReadConfigInt32(ssl_ktls_enabled, "proxy.config.ssl.ktls.enabled");
+#ifndef SSL_OP_ENABLE_KTLS
+ if (ssl_ktls_enabled) {
+ Error("kTLS configured but not supported by OpenSSL library");
+ }
+#endif
+
REC_ReadConfigInt32(ssl_allow_client_renegotiation, "proxy.config.ssl.allow_client_renegotiation");
REC_ReadConfigInt32(ssl_misc_max_iobuffer_size_index, "proxy.config.ssl.misc.io.max_buffer_index");
diff --git a/iocore/net/SSLNetVConnection.cc b/iocore/net/SSLNetVConnection.cc
index d556f4b..282bbe5 100644
--- a/iocore/net/SSLNetVConnection.cc
+++ b/iocore/net/SSLNetVConnection.cc
@@ -170,7 +170,7 @@ SSLNetVConnection::_make_ssl_connection(SSL_CTX *ctx)
} else {
this->initialize_handshake_buffers();
BIO *rbio = BIO_new(BIO_s_mem());
- BIO *wbio = BIO_new_fd(this->get_socket(), BIO_NOCLOSE);
+ BIO *wbio = BIO_new_socket(this->get_socket(), BIO_NOCLOSE);
BIO_set_mem_eof_return(wbio, -1);
SSL_set_bio(ssl, rbio, wbio);
@@ -515,7 +515,7 @@ SSLNetVConnection::update_rbio(bool move_to_socket)
retval = true;
// Handshake buffer is empty but we have read something, move to the socket rbio
} else if (move_to_socket && this->handShakeHolder->is_read_avail_more_than(0)) {
- BIO *rbio = BIO_new_fd(this->get_socket(), BIO_NOCLOSE);
+ BIO *rbio = BIO_new_socket(this->get_socket(), BIO_NOCLOSE);
BIO_set_mem_eof_return(rbio, -1);
SSL_set0_rbio(this->ssl, rbio);
free_handshake_buffers();
diff --git a/iocore/net/SSLUtils.cc b/iocore/net/SSLUtils.cc
index 40bb070..7581b94 100644
--- a/iocore/net/SSLUtils.cc
+++ b/iocore/net/SSLUtils.cc
@@ -680,6 +680,21 @@ DH_get_2048_256()
}
#endif
+bool
+SSLMultiCertConfigLoader::_enable_ktls(SSL_CTX *ctx)
+{
+#ifdef SSL_OP_ENABLE_KTLS
+ if (SSLConfigParams::ssl_ktls_enabled) {
+ if (SSL_CTX_set_options(ctx, SSL_OP_ENABLE_KTLS)) {
+ Debug("ssl.ktls", "KTLS is enabled");
+ } else {
+ return false;
+ }
+ }
+#endif
+ return true;
+}
+
static SSL_CTX *
ssl_context_enable_dhe(const char *dhparams_file, SSL_CTX *ctx)
{
@@ -1419,6 +1434,10 @@ SSLMultiCertConfigLoader::init_server_ssl_ctx(CertLoadData const &data, const SS
goto fail;
}
+ if (!this->_enable_ktls(ctx)) {
+ goto fail;
+ }
+
if (!ssl_context_enable_dhe(_params->dhparamsFile, ctx)) {
goto fail;
}
diff --git a/mgmt/RecordsConfig.cc b/mgmt/RecordsConfig.cc
index fda8c55..0b83fb1 100644
--- a/mgmt/RecordsConfig.cc
+++ b/mgmt/RecordsConfig.cc
@@ -1214,6 +1214,8 @@ static const RecordElement RecordsConfig[] =
,
{RECT_CONFIG, "proxy.config.ssl.keylog_file", RECD_STRING, nullptr, RECU_DYNAMIC, RR_NULL, RECC_NULL, nullptr, RECA_NULL}
,
+ {RECT_CONFIG, "proxy.config.ssl.ktls.enabled", RECD_INT, "0", RECU_RESTART_TS, RR_NULL, RECC_INT, "[0-1]", RECA_NULL}
+ ,
//##############################################################################
//#
//# OCSP (Online Certificate Status Protocol) Stapling Configuration