On Sun, Jan 20, 2019 at 03:08:23PM -0800, Adam Langley wrote: > On Sun, Jan 20, 2019 at 2:41 PM Willy Tarreau <w...@1wt.eu> wrote: > > Just out of curiosity, if such out-of-band messages are enabled again in > > 1.3, do you think this might have any particular impacts on something like > > kTLS where the TLS stream is deciphered by the kernel ? I don't know how > > such messages can safely be delivered to userland in this case, nor if > > they're needed there at all. > > No idea, I'm afraid. If you have a server to test, it looks like one > can use OpenSSL 1.1.1's `openssl s_client` tool to send a KeyUpdate > message by writing "K" on a line by itself.
Oh thanks for the hint, thus we can also use this to test haproxy :-) > If I were to guess about how in-kernel TLS would work, I would think > that the message would be handled internally and user-space wouldn't > need to know anything about it: it just requires rotating the traffic > keys and, potentially, writing a message in reply--both things that the > kernel can probably handle itself. This indeed makes sense. I don't have any such server to test right now but I've been thinking about studying this possibility for later. Thanks! Willy
