nfs tls: Update for SSL_OP_ENABLE_KTLS.

Upstream OpenSSL (and the KTLS backport) have switched to an opt-in option (SSL_OP_ENABLE_KTLS) in place of opt-out modes (SSL_MODE_NO_KTLS_TX and SSL_MODE_NO_KTLS_RX) for controlling kernel TLS. Reviewed by: rmacklem Sponsored by: Netflix MFC after: 2 weeks Differential Revision: https://reviews.freebsd.org/D31445
2021-08-10 14:18:43 -07:00 · 2021-08-10 14:18:43 -07:00 · c7bb0f47f7
commit c7bb0f47f7
parent 38911b3c2c
2 changed files with 10 additions and 0 deletions
--- a/usr.sbin/rpc.tlsclntd/rpc.tlsclntd.c
+++ b/usr.sbin/rpc.tlsclntd/rpc.tlsclntd.c
@ -573,9 +573,14 @@ rpctls_setupcl_ssl(void)
 	    SSL_OP_NO_TLSv1_1 | SSL_OP_NO_TLSv1_2;
 #else
 	flags = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1_3;
+#endif
+#ifdef SSL_OP_ENABLE_KTLS
+	flags |= SSL_OP_ENABLE_KTLS;
 #endif
 	SSL_CTX_set_options(ctx, flags);
+#ifdef SSL_MODE_NO_KTLS_TX
 	SSL_CTX_clear_mode(ctx, SSL_MODE_NO_KTLS_TX | SSL_MODE_NO_KTLS_RX);
+#endif
 	return (ctx);
 }

--- a/usr.sbin/rpc.tlsservd/rpc.tlsservd.c
+++ b/usr.sbin/rpc.tlsservd/rpc.tlsservd.c
@ -636,7 +636,12 @@ rpctls_setup_ssl(const char *certdir)
 		SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER,
 		    rpctls_verify_callback);
 	}
+#ifdef SSL_OP_ENABLE_KTLS
+	SSL_CTX_set_options(ctx, SSL_OP_ENABLE_KTLS);
+#endif
+#ifdef SSL_MODE_NO_KTLS_TX
 	SSL_CTX_clear_mode(ctx, SSL_MODE_NO_KTLS_TX | SSL_MODE_NO_KTLS_RX);
+#endif
 	return (ctx);
 }