On 07/23/2015 07:50 PM, John-Mark Gurney wrote: > I've been working on project to accelerate TLS by doing the framing > and encryption work in the kernel, and not in userland. We made the > choice of not moving the handshake and certificate validation into > the kernel due to it's complexity and high risk for bugs. Yes, > tcpcrypt will have slightly more code than just framing and encryption, > but it's vastly more simple than doing anything wrt parsing and > validating X.509 certificates.
Well, the Linux kernel already has an X.509 parser :) Doing the handshake in userland is an option for a TCP-TLS implementation, however I think the overhead of that approach will cause most distros to leave it off by default. > If the TCP-TLS implementation is choosen, it will be significantly > longer before it will be integrated into FreeBSD. The reasons being > is that there is no code that can simply be used w/o major auditing > and/or rewriting to be secure for use in the kernel. The tcpcrypt > code was written from the start to be used in the kernel. This is true for Linux as well. No existing TLS implementation is available that is suitable for inclusion in the kernel. I would expect an implementation to be an entirely new TLS codebase. Maybe I have missed it, but has there been a thread on the LKML about this yet? Thomas _______________________________________________ Tcpinc mailing list [email protected] https://www.ietf.org/mailman/listinfo/tcpinc
