ktls nginx not working

[Sergey Kandaurov]

> On 27 Jan 2022, at 16:48, Anoop Alias <anoopalias01 at gmail.com> wrote:
> 
> Hi,
> 
> I am trying to implement/test ktls as per the blog article
> 
> https://www.nginx.com/blog/improving-nginx-performance-with-kernel-tls/#tls-protocol
> 
> ###########################
> This is done on CentOS8 VM 
> 
> # uname -r
> 4.18.0-348.7.1.el8_5.x86_64
> ###########################
> # openssl-3.0.1/.openssl/bin/openssl ciphers
> [..]
> 
> ###########################
> # /usr/sbin/nginx-debug -V
> nginx version: nginx/1.21.6
> built by gcc 8.5.0 20210514 (Red Hat 8.5.0-4) (GCC) 
> built with OpenSSL 3.0.1 14 Dec 2021
> TLS SNI support enabled
> configure arguments: --with-debug --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/etc/nginx/modules --with-pcre=./pcre2-10.39 --with-pcre-jit --with-zlib=./zlib-1.2.11 --with-openssl=./openssl-3.0.1 --with-openssl-opt=enable-ktls --with-openssl-opt=enable-tls1_3 --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error_log
> ############################
> The debug log does not show any signs of ktls in use 
> [..]
> [root at 65-108-156-104 nginx-1.21.6]# grep SSL_sendfile /var/log/nginx/error_log 
> [root at 65-108-156-104 nginx-1.21.6]# grep BIO /var/log/nginx/error_log 
> [root at 65-108-156-104 nginx-1.21.6]# 
> 
> There is no SSL_sendfile in the log
> 
> ##############################################
> # TLS Settings
> ssl_protocols TLSv1.3;
> ssl_session_cache shared:SSL:32m;
> ssl_dhparam /etc/nginx/ssl/dhparam.pem;
> ssl_session_timeout  1d;
> ssl_session_tickets off;
> ssl_ocsp_cache shared:ocspcache:10m;
> 
> 
> server{
> ...
>      ssl_conf_command Options KTLS;
>    ..
> }
> #################################################
> What am I  doing wrong?
> 

Make sure you have enabled sendfile in configuration.

Note that Linux 4.18 as distributed with Centos8
implements no KTLS for TLSv1.3 ciphers,
and quite limited number of ciphers for TLSv1.2.

-- 
Sergey Kandaurov