[openssl-dev] [RFC 0/4] Kernel TLS socket API
Kurt Roeckx
kurt at roeckx.be
Wed Jun 7 22:05:41 UTC 2017
On Wed, Jun 07, 2017 at 03:35:45PM +0300, Boris Pismenny wrote:
> Hello all,
>
> I would like to introduce you to the new kernel API for TLS transmit-side
> data-path, and open a discussion regarding its support in OpenSSL.
So my understanding is that there are really 2 parts in the kernel
that change:
- The kernel is aware of TLS and can do the symmetric encryption
- The kernel can offload the symmetric encryption to the NIC
And I guess you're mostly interested in the combination of the two
where you would end up with the unencrypted data going go the NIC
and that you might get speeds close to what you can do
unencrypted. The performance gains would come from avoiding making
copies and not doing the encryption on the CPU.
My understanding from the old data is that moving the encryption
to the kernel had a negative performance impact. So this at least
looks like something we do not always want to enable. It might be
useful to have an API where we can check that the offload is
supported, or that we have an option to enable moving it to the
kernel.
Kurt
More information about the openssl-dev
mailing list