On Fri, 24 Oct 2025 12:11:11 +1000 Wilfred Mallawa wrote: > In the previous record_size_limit approach for TLS 1.3, we need to > account for the ContentType byte. Which complicates get/setsockopt() > and tls_get_info(), where in setsockopt() for TLS 1.3 we need to > subtract 1 to the user provided value and in getsockopt() we need add 1 > to keep the symmetry between the two (similarly in tls_get_info()). The > underlying assumption was that userspace passes up directly what the > endpoint specified as the record_size_limit. > > With this approach we don't need to worry about it and we can pass the > responsibility to user-space as documented, which I think makes the > kernel code simpler.
But we haven't managed to avoid that completely: + if (value < TLS_MIN_RECORD_SIZE_LIM - (tls_13 ? 1 : 0) || I understand the motivation, the kernel code is indeed simpler. Last night I read the RFC and then this patch, and it took me like 10min to get all of it straight in my head. Maybe I was tried but I feel like the user space developers will judge us harshly for the current uAPI.
