On 11/4/22 5:20 PM, Michael Elf wrote:
I'd like to use OpenSSL with KTLS for websocket protocol, mainly for receiving but also transmit. I'm using the latest version of OpenSSL from source, with Ubuntu 20.04 and 22.04. I currently use the regular SSL_read() and SSL_write() functions to receive and transmit bytes. I have not used BIO interfaces before and do not currently have one. I saw an Issue on the Github page discussing KTLS: https://github.com/openssl/openssl/issues/14595 In particular: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - *KTLS will be used if................You are using a suitable KTLS aware BIO (BIO_s_connect(), or BIO_s_socket())You don't need to do anything special in your code. SSL_write will just do the right thing if the above conditions are met. * - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - The last part suggests SSL_write() will work out-of-the-box, so long as we have a BIO interface. 1) Will SSL_read() work with KTLS too?
It can. It depeneds on your kernel/OS version and what capabilities you have. I'm more familiar with FreeBSD than Linux, and in FreeBSD's case KTLS for sending landed in the kernel before KTLS for receiving. The same thing was also repeated when TLS 1.3 support was added (sending before receiving) on both Linux and FreeBSD I believe. Some NICs can also do TLS offload, though whether or not you can do both send and receive can depend on things like the specific NIC, kernel/driver version, and TLS protocol version.
2) If we can still call SSL_read() and SSL_write() with KTLS, what is the purpose/requirement for the BIO interface?
You still need to read/write on a socket and BIO is used to deal with that. KTLS allows SSL_read/write to take shorter paths that get to the BIO interface to do I/O directly on the socket sooner. While you could just call read and write directly, I don't think it would really save you much time.
3) If we cannot use SSL_read() and SSL_write() I assume we have to use BIO_read() and BIO_write(). I read somewhere to receive a packet I must read bytes from the BIO and pass to the SSL layer. For KTLS this seems odd, the whole idea is we want all processing performed in the kernel. Have I misunderstood this?
Yes, you can just use SSL_read.
4) Are there any significant performance differences (between Linux distributions) for KTLS + OpenSSL?
I think any performance differences (if any) would be due to kernel versions and not really OpenSSL. -- John Baldwin
