On Fri, 2025-10-24 at 16:33 -0700, Jakub Kicinski wrote: > On Fri, 24 Oct 2025 12:11:11 +1000 Wilfred Mallawa wrote: > > In the previous record_size_limit approach for TLS 1.3, we need to > > account for the ContentType byte. Which complicates > > get/setsockopt() > > and tls_get_info(), where in setsockopt() for TLS 1.3 we need to > > subtract 1 to the user provided value and in getsockopt() we need > > add 1 > > to keep the symmetry between the two (similarly in tls_get_info()). > > The > > underlying assumption was that userspace passes up directly what > > the > > endpoint specified as the record_size_limit. > > > > With this approach we don't need to worry about it and we can pass > > the > > responsibility to user-space as documented, which I think makes the > > kernel code simpler. > > But we haven't managed to avoid that completely: > > + if (value < TLS_MIN_RECORD_SIZE_LIM - (tls_13 ? 1 : 0) || > > I understand the motivation, the kernel code is indeed simpler. > > Last night I read the RFC and then this patch, and it took me like > 10min to get all of it straight in my head. Maybe I was tried but > I feel like the user space developers will judge us harshly for > the current uAPI.
I am open to reverting this to `record_size_limit` in that case. I think the only trade off is just a bit more complexity in the kernel side for the additional checks. Does that sound good to you Jakub/Sabrina? Regards, Wilfred
