On Tue, Oct 21, 2025 at 07:29:17PM +1000, Wilfred Mallawa wrote: ...
> diff --git a/Documentation/networking/tls.rst > b/Documentation/networking/tls.rst > index 36cc7afc2527..ecaa7631ec46 100644 > --- a/Documentation/networking/tls.rst > +++ b/Documentation/networking/tls.rst > @@ -280,6 +280,28 @@ If the record decrypted turns out to had been padded or > is not a data > record it will be decrypted again into a kernel buffer without zero copy. > Such events are counted in the ``TlsDecryptRetry`` statistic. > > +TLS_TX_MAX_PAYLOAD_LEN > +~~~~~~~~~~~~~~~~~~~~~~ > + > +Specifies the maximum size of the plaintext payload for transmitted TLS > records. > + > +When this option is set, the kernel enforces the specified limit on all > outgoing > +TLS records. No plaintext fragment will exceed this size. This option can be > used > +to implement the TLS Record Size Limit extension [1]. > + - For TLS 1.2, the value corresponds directly to the record size limit. Hi Wilfred, Unfortunately make htmldocs seems unhappy with the line above. .../tls.rst:291: ERROR: Unexpected indentation. [docutils] This was with Sphinx 8.1.3. > + - For TLS 1.3, the value should be set to record_size_limit - 1, since > + the record size limit includes one additional byte for the ContentType > + field. > + > +The valid range for this option is 64 to 16384 bytes for TLS 1.2, and 63 to > +16384 bytes for TLS 1.3. The lower minimum for TLS 1.3 accounts for the > +extra byte used by the ContentType field. > + > +For TLS 1.3, getsockopt() will return the total plaintext fragment length, > +inclusive of the ContentType field. > + > +[1] https://datatracker.ietf.org/doc/html/rfc8449 > + > Statistics > ========== ...
