<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:DengXian;
panose-1:2 1 6 0 3 1 1 1 1 1;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:"\@DengXian";
panose-1:2 1 6 0 3 1 1 1 1 1;}
@font-face
{font-family:-apple-system;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
span.EmailStyle22
{mso-style-type:personal-compose;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="#0563C1" vlink="#954F72" style="word-wrap:break-word">
<div class="WordSection1">
<p class="MsoNormal">Hello Boris/John<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">I am from NXP and currently working on enabling KTLS on NXP platforms via openssl.<o:p></o:p></p>
<p class="MsoNormal">I see that you enabled KTLS support in openssl 3.0(<a href="https://www.openssl.org/news/changelog.html#openssl-30">https://www.openssl.org/news/changelog.html#openssl-30</a>).<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">when I configure openssl 3.0 or 3.1.0 with enable-ktls and and try to run the s_server, s_client application.<o:p></o:p></p>
<p class="MsoNormal">I observe that connection is successfully established - but it didn't use KTLS.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Then I added additional log in kernel(file net/tls/tls_main.c) and see that kernel is returning error -ENOTCONN
<o:p></o:p></p>
<p class="MsoNormal">when (sk->sk_state != TCP_ESTABLISHED) in function static int tls_init(struct sock *sk)<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">please help to see the problem.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Openssl repo: <a href="https://github.com/openssl/openssl">https://github.com/openssl/openssl</a> , branch: master or openssl-3.0<o:p></o:p></p>
<p class="MsoNormal"><b>logs:<o:p></o:p></b></p>
<table class="MsoTableGrid" border="1" cellspacing="0" cellpadding="0" style="border-collapse:collapse;border:none">
<tbody>
<tr>
<td width="623" valign="top" style="width:467.5pt;border:solid windowtext 1.0pt;padding:0in 5.4pt 0in 5.4pt">
<p style="mso-margin-top-alt:0in;margin-right:0in;margin-bottom:12.0pt;margin-left:0in;background:white">
<b><span style="font-size:10.5pt;font-family:-apple-system;color:#24292F;background:white">$ ./ Configure enable-ktls linux-aarch64</span></b><strong><span style="font-size:10.5pt;font-family:-apple-system;color:#24292F;font-weight:normal"><o:p></o:p></span></strong></p>
<p style="mso-margin-top-alt:0in;margin-right:0in;margin-bottom:12.0pt;margin-left:0in;background:white">
<strong><span style="font-size:10.5pt;font-family:-apple-system;color:#24292F">$ openssl version</span></strong><span style="font-size:10.5pt;font-family:-apple-system;color:#24292F"><br>
OpenSSL 3.1.0-dev (Library: OpenSSL 3.1.0-dev )</span><span style="font-size:10.5pt;font-family:-apple-system;color:#24292F"><o:p></o:p></span></p>
<p style="mso-margin-top-alt:0in;margin-right:0in;margin-bottom:12.0pt;margin-left:0in;background:white;box-sizing: border-box;font-variant-ligatures: normal;font-variant-caps: normal;orphans: 2;text-align:start;widows: 2;-webkit-text-stroke-width: 0px;text-decoration-thickness: initial;text-decoration-style: initial;text-decoration-color: initial;word-spacing:0px">
<strong><span style="font-size:10.5pt;font-family:-apple-system;color:#24292F">$ openssl s_server -ktls -key rsa.key -cert server.pem -accept 443</span></strong><span style="font-size:10.5pt;font-family:-apple-system;color:#24292F"><br>
sk->sk_state != TCP_ESTABLISHED <span style="background:white">(<span style="background:yellow;mso-highlight:yellow">log added in kernel net/tls/tls_main.c</span>)</span><o:p></o:p></span></p>
<p style="mso-margin-top-alt:0in;margin-right:0in;margin-bottom:12.0pt;margin-left:0in;background:white;box-sizing: border-box;font-variant-ligatures: normal;font-variant-caps: normal;orphans: 2;text-align:start;widows: 2;-webkit-text-stroke-width: 0px;text-decoration-thickness: initial;text-decoration-style: initial;text-decoration-color: initial;word-spacing:0px">
<span style="font-size:10.5pt;font-family:-apple-system;color:#24292F">ACCEPT<br>
-----BEGIN SSL SESSION PARAMETERS-----<br>
MF8CAQECAgMDBALAMAQABDADNEkWucVTZpiKPtRz48bGM1wHHnOUlta9WcSH9Q3y<br>
4jdP8DgTAZAkrkD9SbCbs6uhBgIEYdQH96IEAgIcIKQGBAQBAAAArQMCAQGzAwIB<br>
HQ==<br>
-----END SSL SESSION PARAMETERS-----<br>
Shared ciphers:ECDHE-RSA-AES256-GCM-SHA384<br>
Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224:DSA+SHA224:DSA+SHA256:DSA+SHA384:DSA+SHA512<br>
Shared Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224:DSA+SHA224:DSA+SHA256:DSA+SHA384:DSA+SHA512<br>
Supported Elliptic Curve Point Formats: uncompressed:ansiX962_compressed_prime:ansiX962_compressed_char2<br>
Supported groups: x25519:secp256r1:x448:secp521r1:secp384r1<br>
Shared groups: x25519:secp256r1:x448:secp521r1:secp384r1<br>
CIPHER is ECDHE-RSA-AES256-GCM-SHA384<br>
Secure Renegotiation IS supported<o:p></o:p></span></p>
<p style="margin-top:0in;background:white;box-sizing: border-box;font-variant-ligatures: normal;font-variant-caps: normal;orphans: 2;text-align:start;widows: 2;-webkit-text-stroke-width: 0px;text-decoration-thickness: initial;text-decoration-style: initial;text-decoration-color: initial;word-spacing:0px">
<strong><span style="font-size:10.5pt;font-family:-apple-system;color:#24292F">$ openssl s_client -quiet -connect 192.168.0.139:443 -cipher 'ECDHE-RSA-AES256-GCM-SHA384' -tls1_2 -ktls</span></strong><span style="font-size:10.5pt;font-family:-apple-system;color:#24292F"><br>
[1119274.610941] sk->sk_state != TCP_ESTABLISHED<br>
Connecting to 192.168.0.139<br>
Can't use SSL_get_servername<br>
depth=0 C=IN, ST=NOIDA, L=NOIDA, O=NXP, OU=EP, CN=Gaurav, emailAddress=<a href="mailto:gaura.jain@nxp.com">gaura.jain@nxp.com</a><br>
verify error:num=18:self-signed certificate<br>
verify return:1<br>
depth=0 C=IN, ST=NOIDA, L=NOIDA, O=NXP, OU=EP, CN=Gaurav, emailAddress=<a href="mailto:gaura.jain@nxp.com">gaura.jain@nxp.com</a><br>
verify return:1</span><o:p></o:p></p>
</td>
</tr>
</tbody>
</table>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Regards<o:p></o:p></p>
<p class="MsoNormal">Gaurav Jain<o:p></o:p></p>
<div style="border:none;border-left:solid blue 1.5pt;padding:0in 0in 0in 4.0pt">
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b>From:</b> Gaurav Jain <br>
<b>Sent:</b> Wednesday, December 22, 2021 3:54 PM<br>
<b>To:</b> openssl-users@openssl.org<br>
<b>Cc:</b> Varun Sethi <V.Sethi@nxp.com>; Pankaj Gupta <pankaj.gupta@nxp.com><br>
<b>Subject:</b> KTLS with openssl 3.0 fail with error ENOTCONN(Transport endpoint is not connected)
<o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p style="margin-bottom:12.0pt;background:white"><strong><span lang="FR" style="font-size:10.5pt;font-family:-apple-system;color:#24292F;font-weight:normal">Hi<o:p></o:p></span></strong></p>
<p style="margin-bottom:12.0pt;background:white"><strong><span lang="FR" style="font-size:10.5pt;font-family:-apple-system;color:#24292F">Kernel Support for KTLS:</span></strong><span lang="FR" style="font-size:10.5pt;font-family:-apple-system;color:#24292F"><br>
kernel version is 5.15<br>
CONFIG_TLS=y<br>
CONFIG_TLS_DEVICE=y<br>
CONFIG_CRYPTO_TLS=y</span><o:p></o:p></p>
<p style="mso-margin-top-alt:0in;margin-right:0in;margin-bottom:12.0pt;margin-left:0in;background:white">
<strong><span style="font-size:10.5pt;font-family:-apple-system;color:#24292F">Openssl:</span></strong><span style="font-size:10.5pt;font-family:-apple-system;color:#24292F"><br>
$ ./</span><span style="color:black"> </span><span style="font-size:10.5pt;font-family:-apple-system;color:#24292F">Configure enable-ktls linux-aarch64<br>
$ make<o:p></o:p></span></p>
<p style="mso-margin-top-alt:0in;margin-right:0in;margin-bottom:12.0pt;margin-left:0in;background:white">
<strong><span style="font-size:10.5pt;font-family:-apple-system;color:#24292F">Server</span></strong><span style="font-size:10.5pt;font-family:-apple-system;color:#24292F"><br>
$ ./openssl version<br>
OpenSSL 3.0.2-dev 14 Dec 2021 (Library: OpenSSL 3.0.0 7 sep 2021)<br>
$ ./openssl s_server -key rsa.key -cert server.pem -accept 443<o:p></o:p></span></p>
<p style="mso-margin-top-alt:0in;margin-right:0in;margin-bottom:12.0pt;margin-left:0in;background:white;box-sizing: border-box;font-variant-ligatures: normal;font-variant-caps: normal;orphans: 2;text-align:start;widows: 2;-webkit-text-stroke-width: 0px;text-decoration-thickness: initial;text-decoration-style: initial;text-decoration-color: initial;word-spacing:0px">
<strong><span style="font-size:10.5pt;font-family:-apple-system;color:#24292F">error</span></strong><span style="font-size:10.5pt;font-family:-apple-system;color:#24292F"><br>
<strong><span style="font-family:-apple-system">file</span></strong>: crypto/bio/bio_sock2.c<br>
<strong><span style="font-family:-apple-system">function:</span></strong> BIO_socket()<br>
ktls_enable(sock); failed with ENOTCONN error<br>
setsockopt failed, 107, Transport endpoint is not connected<o:p></o:p></span></p>
<p style="mso-margin-top-alt:0in;margin-right:0in;margin-bottom:12.0pt;margin-left:0in;background:white;box-sizing: border-box;font-variant-ligatures: normal;font-variant-caps: normal;orphans: 2;text-align:start;widows: 2;-webkit-text-stroke-width: 0px;text-decoration-thickness: initial;text-decoration-style: initial;text-decoration-color: initial;word-spacing:0px">
<strong><span style="font-size:10.5pt;font-family:-apple-system;color:#24292F">server logs( added some debug logs)</span></strong><strong><span style="font-family:"Calibri",sans-serif"><o:p></o:p></span></strong></p>
<table class="MsoNormalTable" border="0" cellspacing="0" cellpadding="0" style="border-collapse:collapse">
<tbody>
<tr>
<td width="623" valign="top" style="width:467.5pt;border:solid windowtext 1.0pt;padding:0in 5.4pt 0in 5.4pt">
<p style="mso-margin-top-alt:0in;margin-right:0in;margin-bottom:12.0pt;margin-left:0in;background:white">
<span style="font-size:10.5pt;font-family:-apple-system;color:#24292F">root@imx8mmevk:~# ./openssl s_server -key rsa.key -cert server.pem -accept 443<br>
sk->sk_state != TCP_ESTABLISHED (log added in kernel net/tls/tls_main.c)<br>
sk->sk_state != TCP_ESTABLISHED</span><o:p></o:p></p>
<p style="margin-top:0in;background:white;box-sizing: border-box;font-variant-ligatures: normal;font-variant-caps: normal;orphans: 2;text-align:start;widows: 2;-webkit-text-stroke-width: 0px;text-decoration-thickness: initial;text-decoration-style: initial;text-decoration-color: initial;word-spacing:0px">
<span style="font-size:10.5pt;font-family:-apple-system;color:#24292F">BIO_socket sock_family = 10, sock_type = 1, sock_protocol = 6, return = 3<br>
setsockopt failed, 107, Transport endpoint is not connected<br>
BIO_socket, ktls_enable(asock) = 0<br>
ACCEPT<br>
setsockopt failed, 17, File exists<br>
BIO_new_socket, ktls_enable(s) = 0<br>
-----BEGIN SSL SESSION PARAMETERS-----<br>
MF8CAQECAgMDBALAMAQABDAC9MHCSSlLXrS0D8tq2hCZtW0vmB1EC6HQerBThuev<br>
PdX7VOUnD1a2bybdw1LfEiqhBgIEYcLciaIEAgIcIKQGBAQBAAAArQMCAQGzAwIB<br>
HQ==<br>
-----END SSL SESSION PARAMETERS-----<br>
Shared ciphers:ECDHE-RSA-AES256-GCM-SHA384<br>
Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224:DSA+SHA224:DSA+SHA256:DSA+SHA384:DSA+SHA512<br>
Shared Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224:DSA+SHA224:DSA+SHA256:DSA+SHA384:DSA+SHA512<br>
Supported Elliptic Curve Point Formats: uncompressed:ansiX962_compressed_prime:ansiX962_compressed_char2<br>
Supported groups: x25519:secp256r1:x448:secp521r1:secp384r1<br>
Shared groups: x25519:secp256r1:x448:secp521r1:secp384r1<br>
CIPHER is ECDHE-RSA-AES256-GCM-SHA384<br>
Secure Renegotiation IS supported<br>
Using Kernel TLS for sending fail<br>
Using Kernel TLS for receiving fail<o:p></o:p></span></p>
</td>
</tr>
</tbody>
</table>
<p style="mso-margin-top-alt:0in;margin-right:0in;margin-bottom:12.0pt;margin-left:0in;background:white">
<span style="font-size:10.5pt;font-family:-apple-system;color:#24292F"><br>
Regards<o:p></o:p></span></p>
<p style="mso-margin-top-alt:0in;margin-right:0in;margin-bottom:12.0pt;margin-left:0in;background:white">
<span style="font-size:10.5pt;font-family:-apple-system;color:#24292F">Gaurav Jain<o:p></o:p></span></p>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</div>
</body>
</html>