diff options
author | Maxim Mikityanskiy <maximmi@nvidia.com> | 2022-11-09 11:26:11 +0200 |
---|---|---|
committer | Tomas Mraz <tomas@openssl.org> | 2022-11-24 13:19:37 +0100 |
commit | cd715b7e7fdd2aeb0fd80220d2df5187b291f87a (patch) | |
tree | af68ab6d8097544d1b7f6367cf3cc64d5679f71e /doc/man1/openssl-s_server.pod.in | |
parent | 394f6f246af23876f3d7a0332eb194aaa5127643 (diff) |
Add support for KTLS zerocopy sendfile on Linux
TLS device offload allows to perform zerocopy sendfile transmissions.
FreeBSD provides this feature by default, and Linux 5.19 introduced it
as an opt-in. Zerocopy improves the TX rate significantly, but has a
side effect: if the underlying file is changed while being transmitted,
and a TCP retransmission happens, the receiver may get a TLS record
containing both new and old data, which leads to an authentication
failure and termination of connection. This effect is the reason Linux
makes a copy on sendfile by default.
This commit adds support for TLS zerocopy sendfile on Linux disabled by
default to avoid any unlikely backward compatibility issues on Linux,
although sacrificing consistency in OpenSSL's behavior on Linux and
FreeBSD. A new option called KTLSTxZerocopySendfile is added to enable
the new zerocopy behavior on Linux. This option should be used when the
the application guarantees that the file is not modified during
transmission, or it doesn't care about breaking the connection.
The related documentation is also added in this commit. The unit test
added doesn't test the actual functionality (it would require specific
hardware and a non-local peer), but solely checks that it's possible to
set the new option flag.
Signed-off-by: Maxim Mikityanskiy <maximmi@nvidia.com>
Reviewed-by: Tariq Toukan <tariqt@nvidia.com>
Reviewed-by: Boris Pismenny <borisp@nvidia.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Todd Short <todd.short@me.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18650)
Diffstat (limited to 'doc/man1/openssl-s_server.pod.in')
-rw-r--r-- | doc/man1/openssl-s_server.pod.in | 10 |
1 files changed, 10 insertions, 0 deletions
diff --git a/doc/man1/openssl-s_server.pod.in b/doc/man1/openssl-s_server.pod.in index 94f3b4b46c..a1e354908c 100644 --- a/doc/man1/openssl-s_server.pod.in +++ b/doc/man1/openssl-s_server.pod.in @@ -132,6 +132,7 @@ B<openssl> B<s_server> [B<-alpn> I<val>] [B<-ktls>] [B<-sendfile>] +[B<-zerocopy_sendfile>] [B<-keylogfile> I<outfile>] [B<-recv_max_early_data> I<int>] [B<-max_early_data> I<int>] @@ -792,6 +793,15 @@ instead of BIO_write() to send the HTTP response requested by a client. This option is only valid when B<-ktls> along with B<-WWW> or B<-HTTP> are specified. +=item B<-zerocopy_sendfile> + +If this option is set, SSL_sendfile() will use the zerocopy TX mode, which gives +a performance boost when used with KTLS hardware offload. Note that invalid +TLS records might be transmitted if the file is changed while being sent. +This option depends on B<-sendfile>; when used alone, B<-sendfile> is implied, +and a warning is shown. Note that KTLS sendfile on FreeBSD always runs in the +zerocopy mode. + =item B<-keylogfile> I<outfile> Appends TLS secrets to the specified keylog file such that external programs |