FreeBSD 15 and Kernel TLS (kTLS)

[Aknot]

When checking our vmx0 on our VMware instance with # ifconfig , it shows support for both TSO4 and TSO6, making it possible to enable kTLS, right?

When running # sysctl kern.ipc.tls.stats I'm getting:

kern.ipc.tls.stats.ocf.retries: 0
kern.ipc.tls.stats.ocf.separate_output: 0
kern.ipc.tls.stats.ocf.inplace: 0
kern.ipc.tls.stats.ocf.tls13_chacha20_encrypts: 0
kern.ipc.tls.stats.ocf.tls13_chacha20_decrypts: 0
kern.ipc.tls.stats.ocf.tls13_gcm_recrypts: 0
kern.ipc.tls.stats.ocf.tls13_gcm_encrypts: 0
kern.ipc.tls.stats.ocf.tls13_gcm_decrypts: 0
kern.ipc.tls.stats.ocf.tls12_chacha20_encrypts: 0
kern.ipc.tls.stats.ocf.tls12_chacha20_decrypts: 0
kern.ipc.tls.stats.ocf.tls12_gcm_recrypts: 0
kern.ipc.tls.stats.ocf.tls12_gcm_encrypts: 0
kern.ipc.tls.stats.ocf.tls12_gcm_decrypts: 0
kern.ipc.tls.stats.ocf.tls11_cbc_encrypts: 0
kern.ipc.tls.stats.ocf.tls11_cbc_decrypts: 0
kern.ipc.tls.stats.ocf.tls10_cbc_encrypts: 0
kern.ipc.tls.stats.destroy_task: 0
kern.ipc.tls.stats.ifnet_disable_ok: 0
kern.ipc.tls.stats.ifnet_disable_failed: 0
kern.ipc.tls.stats.switch_failed: 0
kern.ipc.tls.stats.switch_to_sw: 0
kern.ipc.tls.stats.switch_to_ifnet: 0
kern.ipc.tls.stats.failed_crypto: 0
kern.ipc.tls.stats.corrupted_records: 0
kern.ipc.tls.stats.active: 0
kern.ipc.tls.stats.enable_calls: 0
kern.ipc.tls.stats.offload_total: 0
kern.ipc.tls.stats.sw_rx_inqueue: 0
kern.ipc.tls.stats.sw_tx_inqueue: 0
kern.ipc.tls.stats.sw_tx_pending: 0
kern.ipc.tls.stats.threads: 0

So I'm guessing the functions are already built in - in version 15 of FreeBSD (no need to load a .ko)?

I'm trying to understand how to continue from here with the information I can find.

To offload the CPU on the server, Apache httpd have the following directives:

EnableSendfile On
EnableMMAP On

# sysctl kern.ipc.tls.enable is giving me:

kern.ipc.tls.enable: 1

Do I need to make some changes to OpenSSL 3.5 in the system?

Thanks,

 

[dark.initr0]

Maybe do you mean TXTLS4 & TXTLS6 NIC features for TLS encryption / decryption?
Because TSO is TCP Segmentation Offload. TSO allows the NIC (or virtual NIC) to split large TCP packets into smaller segments on its own, instead of making the CPU do it.

man 4 ktls

says

OpenSSL 3.0 and later include support for ktls. OpenSSL in the base system includes KTLS support when built with *WITH_OPENSSL_KTLS*.

How do you check kTLS?