Skip to content
GitLab
    • GitLab: the DevOps platform
    • Explore GitLab
    • Install GitLab
    • How GitLab compares
    • Get started
    • GitLab docs
    • GitLab Learn
  • Pricing
  • Talk to an expert
  • /
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
    • Switch to GitLab Next
    Projects Groups Topics Snippets
  • Register
  • Sign in
  • GnuTLS GnuTLS
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributor statistics
    • Graph
    • Compare revisions
    • Locked files
  • Issues 273
    • Issues 273
    • List
    • Boards
    • Service Desk
    • Milestones
    • Iterations
    • Requirements
  • Merge requests 17
    • Merge requests 17
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Artifacts
    • Schedules
    • Test cases
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Packages and registries
    • Packages and registries
    • Model experiments
  • Monitor
    • Monitor
    • Incidents
  • Analytics
    • Analytics
    • Value stream
    • CI/CD
    • Code review
    • Insights
    • Issue
    • Repository
  • Wiki
    • Wiki
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • gnutlsgnutls
  • GnuTLSGnuTLS
  • Issues
  • #1113
Closed
Open
Issue created Nov 04, 2020 by Ander Juaristi@juaristiDeveloper

GnuTLS should transparently use KTLS if it's available

The Linux kernel has been supporting KTLS for some time now.

This is basically a kernel-side TLS record encryption offloading. The kernel receives plaintext data on the socket descriptor via write() and it builds a valid TLS record around it. The same happens when data is read with read(): a TLS record is expected, then decrypted and the plaintext it contains returned. Another benefit is that you can send an entire file with sendfile(), which will also be transparently encrypted in suitable TLS records.

After a successful TLS handshake (this happens normally on userland), you need to obtain the TLS secrets. You do this with gnutls_record_get_state().

Then you enable KTLS on a connected TCP socket with setsockopt:

setsockopt(sockfd, SOL_TCP, TCP_ULP, "tls", sizeof("tls");

And finally you copy the TLS master secret to the kernel so that it can build the read and write keys.

I think GnuTLS should transparently use KTLS if it's available, when either gnutls_record_recv() or gnutls_record_write() are called.

If it's not available, fall back to userland encryption using Nettle, just like now.

More info about KTLS is here and here.

Edited Nov 04, 2020 by Ander Juaristi
Assignee
Assign to
Time tracking