| b08bb7f8 | 17-Aug-2021 |
John Baldwin <[email protected]> |
OpenSSL: Add support for Chacha20-Poly1305 to kernel TLS on FreeBSD.
FreeBSD's kernel TLS supports Chacha20 for both TLS 1.2 and TLS 1.3.
NB: This commit has not yet been merged upstream as it is d
OpenSSL: Add support for Chacha20-Poly1305 to kernel TLS on FreeBSD.
FreeBSD's kernel TLS supports Chacha20 for both TLS 1.2 and TLS 1.3.
NB: This commit has not yet been merged upstream as it is deemed a new
feature and did not make the feature freeze cutoff for OpenSSL 3.0.
Reviewed by: jkim
Sponsored by: Netflix
Differential Revision: https://reviews.freebsd.org/D31443
(cherry picked from commit 6372fd253e3266c6eb271f49159f1632d527c9bd)
show more ...
|
| 622809b0 | 17-Aug-2021 |
John Baldwin <[email protected]> |
OpenSSL: Only enable KTLS if it is explicitly configured
It has always been the case that KTLS is not compiled by default. However
if it is compiled then it was automatically used unless specificall
OpenSSL: Only enable KTLS if it is explicitly configured
It has always been the case that KTLS is not compiled by default. However
if it is compiled then it was automatically used unless specifically
configured not to. This is problematic because it avoids any crypto
implementations from providers. A user who configures all crypto to use
the FIPS provider may unexpectedly find that TLS related crypto is actually
being performed outside of the FIPS boundary.
Instead we change KTLS so that it is disabled by default.
We also swap to using a single "option" (i.e. SSL_OP_ENABLE_KTLS) rather
than two separate "modes", (i.e. SSL_MODE_NO_KTLS_RX and
SSL_MODE_NO_KTLS_TX).
Reviewed by: jkim
Obtained from: OpenSSL (a3a54179b6754fbed6d88e434baac710a83aaf80)
Sponsored by: Netflix
Differential Revision: https://reviews.freebsd.org/D31440
(cherry picked from commit 62ca9fc1ad569eb3fafd281e03812a598b9856ee)
show more ...
|