On Sun, Jan 20, 2019 at 2:41 PM Willy Tarreau <[email protected]> wrote: > Just out of curiosity, if such out-of-band messages are enabled again in > 1.3, do you think this might have any particular impacts on something like > kTLS where the TLS stream is deciphered by the kernel ? I don't know how > such messages can safely be delivered to userland in this case, nor if > they're needed there at all.
No idea, I'm afraid. If you have a server to test, it looks like one can use OpenSSL 1.1.1's `openssl s_client` tool to send a KeyUpdate message by writing "K" on a line by itself. If I were to guess about how in-kernel TLS would work, I would think that the message would be handled internally and user-space wouldn't need to know anything about it: it just requires rotating the traffic keys and, potentially, writing a message in reply—both things that the kernel can probably handle itself. Cheers AGL -- Adam Langley [email protected] https://www.imperialviolet.org
