Site Navigation

FreeBSD Manual Pages

   man apropos
 
   All Sections 1 - General Commands 2 - System Calls 3 - Subroutines 4 - Special Files 5 - File Formats 6 - Games 7 - Macros and Conventions 8 - Maintenance Commands 9 - Kernel Interface n - New Commands FreeBSD 14.0-CURRENT FreeBSD 13.2-RELEASE FreeBSD 13.2-RELEASE and Ports FreeBSD 13.2-STABLE FreeBSD 13.1-RELEASE FreeBSD 13.1-RELEASE and Ports FreeBSD 13.0-RELEASE FreeBSD 13.0-RELEASE and Ports FreeBSD 12.4-RELEASE FreeBSD 12.4-RELEASE and Ports FreeBSD 12.4-STABLE FreeBSD 12.3-RELEASE FreeBSD 12.3-RELEASE and Ports FreeBSD 12.2-RELEASE FreeBSD 12.2-RELEASE and Ports FreeBSD 12.1-RELEASE FreeBSD 12.1-RELEASE and Ports FreeBSD 12.0-RELEASE FreeBSD 12.0-RELEASE and Ports FreeBSD 11.4-RELEASE FreeBSD 11.4-RELEASE and Ports FreeBSD 11.3-RELEASE FreeBSD 11.3-RELEASE and Ports FreeBSD 11.2-RELEASE FreeBSD 11.2-RELEASE and Ports FreeBSD 11.1-RELEASE FreeBSD 11.1-RELEASE and Ports FreeBSD 11.0-RELEASE FreeBSD 11.0-RELEASE and Ports FreeBSD 10.4-RELEASE FreeBSD 10.4-RELEASE and Ports FreeBSD 10.3-RELEASE FreeBSD 10.3-RELEASE and Ports FreeBSD 10.2-RELEASE FreeBSD 10.2-RELEASE and Ports FreeBSD 10.1-RELEASE FreeBSD 10.1-RELEASE and Ports FreeBSD 10.0-RELEASE FreeBSD 10.0-RELEASE and Ports FreeBSD 9.3-RELEASE FreeBSD 9.3-RELEASE and Ports FreeBSD 9.2-RELEASE FreeBSD 9.2-RELEASE and Ports FreeBSD 9.1-RELEASE FreeBSD 9.1-RELEASE and Ports FreeBSD 9.0-RELEASE FreeBSD 9.0-RELEASE and Ports FreeBSD 8.4-RELEASE FreeBSD 8.4-RELEASE and Ports FreeBSD 8.3-RELEASE FreeBSD 8.3-RELEASE and Ports FreeBSD 8.2-RELEASE FreeBSD 8.2-RELEASE and Ports FreeBSD 8.1-RELEASE FreeBSD 8.1-RELEASE and Ports FreeBSD 8.0-RELEASE FreeBSD 8.0-RELEASE and Ports FreeBSD 7.4-RELEASE FreeBSD 7.4-RELEASE and Ports FreeBSD 7.3-RELEASE FreeBSD 7.3-RELEASE and Ports FreeBSD 7.2-RELEASE FreeBSD 7.2-RELEASE and Ports FreeBSD 7.1-RELEASE FreeBSD 7.1-RELEASE and Ports FreeBSD 7.0-RELEASE FreeBSD 6.4-RELEASE FreeBSD 6.4-RELEASE and Ports FreeBSD 6.3-RELEASE FreeBSD 6.3-RELEASE and Ports FreeBSD 6.2-RELEASE FreeBSD 6.1-RELEASE FreeBSD 6.0-RELEASE FreeBSD 6.0-RELEASE and Ports FreeBSD 5.5-RELEASE FreeBSD 5.5-RELEASE and Ports FreeBSD 5.4-RELEASE FreeBSD 5.4-RELEASE and Ports FreeBSD 5.3-RELEASE FreeBSD 5.3-RELEASE and Ports FreeBSD 5.2.1-RELEASE FreeBSD 5.2.1-RELEASE and Ports FreeBSD 5.2-RELEASE FreeBSD 5.2-RELEASE and Ports FreeBSD 5.1-RELEASE FreeBSD 5.0-RELEASE FreeBSD 4.11-RELEASE FreeBSD 4.11-RELEASE and Ports FreeBSD 4.10-RELEASE FreeBSD 4.10-RELEASE and Ports FreeBSD 4.9-RELEASE FreeBSD 4.9-RELEASE and Ports FreeBSD 4.8-RELEASE FreeBSD 4.8-RELEASE and Ports FreeBSD 4.7-RELEASE FreeBSD 4.6.2-RELEASE FreeBSD 4.6.2-RELEASE and Ports FreeBSD 4.6-RELEASE FreeBSD 4.6-RELEASE and Ports FreeBSD 4.5-RELEASE FreeBSD 4.5-RELEASE and Ports FreeBSD 4.4-RELEASE FreeBSD 4.3-RELEASE FreeBSD 4.3-RELEASE and Ports FreeBSD 4.2-RELEASE FreeBSD 4.2-RELEASE and Ports FreeBSD 4.1.1-RELEASE FreeBSD 4.1.1-RELEASE and Ports FreeBSD 4.1-RELEASE FreeBSD 4.0-RELEASE FreeBSD 3.5.1-RELEASE FreeBSD 3.5.1-RELEASE and Ports FreeBSD 3.5-RELEASE and Ports FreeBSD 3.4-RELEASE FreeBSD 3.4-RELEASE and Ports FreeBSD 3.3-RELEASE FreeBSD 3.2-RELEASE FreeBSD 3.1-RELEASE FreeBSD 3.0-RELEASE FreeBSD 2.2.8-RELEASE FreeBSD 2.2.8-RELEASE and Ports FreeBSD 2.2.7-RELEASE FreeBSD 2.2.6-RELEASE FreeBSD 2.2.5-RELEASE FreeBSD 2.2.2-RELEASE FreeBSD 2.2.1-RELEASE FreeBSD 2.1.7.1-RELEASE FreeBSD 2.1.6.1-RELEASE FreeBSD 2.1.5-RELEASE FreeBSD 2.1.0-RELEASE FreeBSD 2.0.5-RELEASE FreeBSD 2.0-RELEASE FreeBSD 1.1.5.1-RELEASE FreeBSD 1.1-RELEASE FreeBSD 1.0-RELEASE FreeBSD Ports 13.2 FreeBSD Ports 13.1 FreeBSD Ports 13.0 FreeBSD Ports 12.4 FreeBSD Ports 12.3 FreeBSD Ports 12.2 FreeBSD Ports 12.1 FreeBSD Ports 12.0 FreeBSD Ports 11.4 FreeBSD Ports 11.3 FreeBSD Ports 11.2 FreeBSD Ports 11.1 FreeBSD Ports 11.0 FreeBSD Ports 10.4 FreeBSD Ports 10.3 FreeBSD Ports 10.2 FreeBSD Ports 10.1 FreeBSD Ports 10.0 FreeBSD Ports 9.3 FreeBSD Ports 9.2 FreeBSD Ports 9.1 FreeBSD Ports 9.0 FreeBSD Ports 8.4 FreeBSD Ports 8.3 FreeBSD Ports 8.2 FreeBSD Ports 8.1 FreeBSD Ports 8.0 FreeBSD Ports 7.4 FreeBSD Ports 7.3 FreeBSD Ports 7.2 FreeBSD Ports 7.1 FreeBSD Ports 7.0 FreeBSD Ports 6.4 FreeBSD Ports 6.3 FreeBSD Ports 6.2 FreeBSD Ports 6.0 FreeBSD Ports 5.5 FreeBSD Ports 5.4 FreeBSD Ports 5.3 FreeBSD Ports 5.2.1 FreeBSD Ports 5.2 FreeBSD Ports 5.1 FreeBSD Ports 4.11 FreeBSD Ports 4.10 FreeBSD Ports 4.9 FreeBSD Ports 4.8 FreeBSD Ports 4.7 FreeBSD Ports 4.6.2 FreeBSD Ports 4.6 FreeBSD Ports 4.5 FreeBSD Ports 4.3 FreeBSD Ports 4.2 FreeBSD Ports 4.1.1 FreeBSD Ports 3.5.1 FreeBSD Ports 3.5 FreeBSD Ports 3.4 FreeBSD Ports 2.2.8 4.4BSD Lite2 4.3BSD NET/2 4.3BSD Reno 2.11 BSD 2.10 BSD 2.9.1 BSD 2.8 BSD 386BSD 0.1 386BSD 0.0 CentOS 7.1 CentOS 7.0 CentOS 6.6 CentOS 6.5 CentOS 6.4 CentOS 6.3 CentOS 6.2 CentOS 6.1 CentOS 6.0 CentOS 5.11 CentOS 5.10 CentOS 5.9 CentOS 5.8 CentOS 5.7 CentOS 5.6 CentOS 5.5 CentOS 5.4 CentOS 4.8 CentOS 3.9 Darwin 8.0.1/ppc Darwin 7.0.1 Darwin 6.0.2/x86 Darwin 1.4.1/x86 Darwin 1.3.1/x86 Debian 8.1.0 Debian 7.8.0 Debian 6.0.10 Debian 5.0.10 Debian 4.0.9 Debian 3.1.8 Debian 2.2.7 HP-UX 11.22 HP-UX 11.20 HP-UX 11.11 HP-UX 11.00 HP-UX 10.20 HP-UX 10.10 HP-UX 10.01 HP-UX 9.07 HP-UX 8.07 IRIX 6.5.30 Inferno 4th Edition Linux Slackware 3.1 MACH 2.5/i386 Minix 2.0 NetBSD 9.3 NetBSD 9.2 NetBSD 9.1 NetBSD 9.0 NetBSD 8.2 NetBSD 8.1 NetBSD 8.0 NetBSD 7.1 NetBSD 7.0 NetBSD 6.1.5 NetBSD 6.0 NetBSD 5.1 NetBSD 5.0 NetBSD 4.0.1 NetBSD 4.0 NetBSD 3.1 NetBSD 3.0 NetBSD 2.1 NetBSD 2.0.2 NetBSD 2.0 NetBSD 1.6.2 NetBSD 1.6.1 NetBSD 1.6 NetBSD 1.5.3 NetBSD 1.5.2 NetBSD 1.5.1 NetBSD 1.5 NetBSD 1.4.3 NetBSD 1.4.2 NetBSD 1.4.1 NetBSD 1.4 NetBSD 1.3.3 NetBSD 1.3.2 NetBSD 1.3.1 NetBSD 1.3 NetBSD 1.2.1 NetBSD 1.2 NetBSD 1.1 NetBSD 1.0 NeXTSTEP 3.3 OpenBSD 7.3 OpenBSD 7.2 OpenBSD 7.1 OpenBSD 7.0 OpenBSD 6.9 OpenBSD 6.8 OpenBSD 6.7 OpenBSD 6.6 OpenBSD 6.5 OpenBSD 6.4 OpenBSD 6.3 OpenBSD 6.2 OpenBSD 6.1 OpenBSD 6.0 OpenBSD 5.9 OpenBSD 5.8 OpenBSD 5.7 OpenBSD 5.6 OpenBSD 5.5 OpenBSD 5.4 OpenBSD 5.3 OpenBSD 5.2 OpenBSD 5.1 OpenBSD 5.0 OpenBSD 4.9 OpenBSD 4.8 OpenBSD 4.7 OpenBSD 4.6 OpenBSD 4.5 OpenBSD 4.4 OpenBSD 4.3 OpenBSD 4.2 OpenBSD 4.1 OpenBSD 4.0 OpenBSD 3.9 OpenBSD 3.8 OpenBSD 3.7 OpenBSD 3.6 OpenBSD 3.5 OpenBSD 3.4 OpenBSD 3.3 OpenBSD 3.2 OpenBSD 3.1 OpenBSD 3.0 OpenBSD 2.9 OpenBSD 2.8 OpenBSD 2.7 OpenBSD 2.6 OpenBSD 2.5 OpenBSD 2.4 OpenBSD 2.3 OpenBSD 2.2 OpenBSD 2.1 OpenBSD 2.0 OpenDarwin 20030208pre4/ppc OpenDarwin 7.2.1 OpenDarwin 6.6.2/x86 OpenDarwin 6.6.1/x86 OpenStep 4.2 OSF1 V5.1/alpha OSF1 V4.0/alpha OSF1 V1.0/mips Plan 9 Red Hat 8.0 Red Hat 7.3 Red Hat 7.2 Red Hat 7.1 Red Hat 7.0 Red Hat 6.2 Red Hat 6.1 Red Hat 5.2 Red Hat 5.0 Red Hat 4.2 Red Hat 9 Rhapsody DR1 Rhapsody DR2 Sun UNIX 0.4 SunOS 5.8 SunOS 5.7 SunOS 4.1.3 SuSE 11.3 SuSE 11.1 SuSE 11.0 SuSE 10.3 SuSE 10.2 SuSE 10.1 SuSE 10.0 SuSE 9.3 SuSE 9.2 SuSE 8.2 SuSE 8.1 SuSE 8.0 SuSE 7.3 SuSE 7.2 SuSE 7.1 SuSE 7.0 SuSE 6.4 SuSE 6.3 SuSE 6.1 SuSE 5.3 SuSE 5.2 SuSE 5.0 SuSE 4.3 SuSE ES 10 SP1 SunOS 5.10 SunOS 5.9 SunOS 5.6 SunOS 5.5.1 SuSE 11.2 SuSE 6.0 ULTRIX 4.2 Ultrix-32 2.0/VAX Unix Seventh Edition X11R7.4 X11R7.3.2 X11R7.2 X11R6.9.0 X11R6.8.2 X11R6.7.0 XFree86 4.8.0 XFree86 4.7.0 XFree86 4.6.0 XFree86 4.5.0 XFree86 4.4.0 XFree86 4.3.0 XFree86 4.2.99.3 XFree86 4.2.0 XFree86 4.1.0 XFree86 4.0.2 XFree86 4.0.1 XFree86 4.0 XFree86 3.3.6 XFree86 3.3 XFree86 2.1 All Architectures html pdf ascii

home | help

---

KTLS(4)		       FreeBSD Kernel Interfaces Manual		       KTLS(4)

NAME
     ktls -- kernel Transport Layer Security

SYNOPSIS
     options KERN_TLS

DESCRIPTION
     The ktls facility allows the kernel to perform Transport Layer Security
     (TLS) framing on TCP sockets.  With ktls, the initial handshake for a
     socket using TLS is performed in userland.	 Once the session keys are ne-
     gotiated, they are	provided to the	kernel via the TCP_TXTLS_ENABLE	and
     TCP_RXTLS_ENABLE socket options.  Both socket options accept a struct
     tls_enable	structure as their argument.  The members of this structure
     describe the cipher suite used for	the TLS	session	and provide the	ses-
     sion keys used for	the respective direction.

     ktls only permits the session keys	to be set once in each direction.  As
     a result, applications must disable rekeying when using ktls.

   Modes
     ktls can operate in different modes.  A given socket may use different
     modes for transmit	and receive, or	a socket may only offload a single di-
     rection.  The available modes are:

     TCP_TLS_MODE_NONE	    ktls is not	enabled.

     TCP_TLS_MODE_SW	    TLS	records	are encrypted or decrypted in the ker-
			    nel	in the socket layer.  Typically	the encryption
			    or decryption is performed in software, but	it may
			    also be performed by co-processors via crypto(9).

     TCP_TLS_MODE_IFNET	    TLS	records	are encrypted or decrypted by the net-
			    work interface card	(NIC).	In this	mode, the net-
			    work stack does not	work with encrypted data.  In-
			    stead, the NIC encrypts TLS	records	as they	are
			    being transmitted, or decrypts received TLS
			    records before providing them to the host.

			    Network interfaces which support this feature will
			    advertise the TXTLS4 (for IPv4) and/or TXTLS6 (for
			    IPv6) capabilities as reported by ifconfig(8).
			    These capabilities can also	be controlled by
			    ifconfig(8).

			    If a network interface supports rate limiting
			    (also known	as packet pacing) for TLS offload, the
			    interface will advertise the TXTLS_RTLMT capabil-
			    ity.

     TCP_TLS_MODE_TOE	    TLS	records	are encrypted by the NIC using a TCP
			    offload engine (TOE).  This	is similar to
			    TCP_TLS_MODE_IFNET in that the network stack does
			    not	work with encrypted data.  However, this mode
			    works in tandem with a TOE to handle interactions
			    between TCP	and TLS.

   Transmit
     Once TLS transmit is enabled by a successful set of the TCP_TXTLS_ENABLE
     socket option, all	data written on	the socket is stored in	TLS records
     and encrypted.  Most data is transmitted in application layer TLS
     records, and the kernel chooses how to partition data among TLS records.
     Individual	TLS records with a fixed length	and record type	can be sent by
     sendmsg(2)	with the TLS record type set in	a TLS_SET_RECORD_TYPE control
     message.  The payload of this control message is a	single byte holding
     the desired TLS record type.  This	can be used to send TLS	records	with a
     type other	than application data (for example, handshake messages)	or to
     send application data records with	specific contents (for example,	empty
     fragments).

     TLS transmit requires the use of unmapped mbufs.  Unmapped	mbufs are not
     enabled by	default, but can be enabled by setting the
     kern.ipc.mb_use_ext_pgs sysctl node to 1.

     The current TLS transmit mode of a	socket can be queried via the
     TCP_TXTLS_MODE socket option.  A socket using TLS transmit	offload	can
     also set the TCP_TXTLS_MODE socket	option to toggle between
     TCP_TLS_MODE_SW and TCP_TLS_MODE_IFNET.

   Receive
     Once TLS receive is enabled by a successful set of	the TCP_RXTLS_ENABLE
     socket option, all	data read from the socket is returned as decrypted TLS
     records.  Each received TLS record	must be	read from the socket using
     recvmsg(2).  Each received	TLS record will	contain	a TLS_GET_RECORD con-
     trol message along	with the decrypted payload.  The control message con-
     tains a struct tls_get_record which includes fields from the TLS record
     header.  If an invalid or corrupted TLS record is received, recvmsg(2)
     will fail with one	of the following errors:

     [EINVAL]		The version fields in a	TLS record's header did	not
			match the version required by the struct tls_enable
			structure used to enable in-kernel TLS.

     [EMSGSIZE]		A TLS record's length was either too small or too
			large.

     [EMSGSIZE]		The connection was closed after	sending	a truncated
			TLS record.

     [EBADMSG]		The TLS	record failed to match the included authenti-
			cation tag.

     The current TLS receive mode of a socket can be queried via the
     TCP_RXTLS_MODE socket option.  At present,	the mode cannot	be changed.

   Sysctl Nodes
     ktls uses several sysctl nodes under the kern.ipc.tls node.  A few	of
     them are described	below:

     kern.ipc.tls.enable      Determines if new	kernel TLS sessions can	be
			      created.

     kern.ipc.tls.cbc_enable  Determines if new	kernel TLS sessions with a ci-
			      pher suite using AES-CBC can be created.

     kern.ipc.tls.sw	      A	tree of	nodes containing statistics for	TLS
			      sessions using TCP_TLS_MODE_SW.

     kern.ipc.tls.ifnet	      A	tree of	nodes containing statistics for	TLS
			      sessions using TCP_TLS_MODE_IFNET.

     kern.ipc.tls.toe	      A	tree of	nodes containing statistics for	TLS
			      sessions using TCP_TLS_MODE_TOE.

     kern.ipc.tls.stats	      A	tree of	nodes containing various kernel	TLS
			      statistics.

   Backends
     The base system includes a	software backend for the TCP_TLS_MODE_SW mode
     which uses	crypto(9) to encrypt and decrypt TLS records.  This backend
     can be enabled by loading the ktls_ocf.ko kernel module.

     The cxgbe(4) and mlx5en(4)	drivers	include	support	for the
     TCP_TLS_MODE_IFNET	mode.

     The cxgbe(4) driver includes support for the TCP_TLS_MODE_TOE mode.

   Supported Libraries
     OpenSSL 3.0 and later include support for ktls.  The
     security/openssl-devel port may also be built with	support	for ktls by
     enabling the KTLS option.	OpenSSL	in the base system includes KTLS sup-
     port when built with WITH_OPENSSL_KTLS.

     Applications using	a supported library should generally work with ktls
     without any changes provided they use standard interfaces such as
     SSL_read(3) and SSL_write(3).  Additional performance may be gained by
     the use of	SSL_sendfile(3).

IMPLEMENTATION NOTES
     ktls assumes the presence of a direct map of physical memory when per-
     forming software encryption and decryption.  As a result, it is only sup-
     ported on architectures with a direct map.

SEE ALSO
     cxgbe(4), mlx5en(4), tcp(4), src.conf(5), ifconfig(8), sysctl(8),
     crypto(9)

HISTORY
     Kernel TLS	first appeared in FreeBSD 13.0.

FreeBSD	13.0			 March 8, 2021			  FreeBSD 13.0

---

NAME | SYNOPSIS | DESCRIPTION | IMPLEMENTATION NOTES | SEE ALSO | HISTORY

Want to link to this manual page? Use this URL:
<https://man.freebsd.org/cgi/man.cgi?query=ktls&sektion=4&manpath=FreeBSD+13.2-RELEASE+and+Ports>

home | help

---

Legal Notices | © 1995-2023 The FreeBSD Project. All rights reserved.

Contact