-
-
Notifications
You must be signed in to change notification settings - Fork 34
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add TLS support #155
Add TLS support #155
Conversation
…work -> protocols -> tls)
…file exists or not
… network_receive_to_buffer to operate on the internal buffer structs
…end/close and add support for select-able cipher suites and min/max tls versions
…example config file
…is not allocated on its own
…racter from the line ending that wasn't a new line
…heus module, improve tls management, add a command line option to list the supported tls ciphers, the min/max version and if they are supported by ktls, way too many other things
… configuration is present
Codecov Report
@@ Coverage Diff @@
## main #155 +/- ##
==========================================
- Coverage 81.04% 77.97% -3.08%
==========================================
Files 88 92 +4
Lines 5514 6130 +616
==========================================
+ Hits 4469 4780 +311
- Misses 1045 1350 +305
Continue to review full report at Codecov.
|
This pull request introduces 2 alerts when merging 18b725c into 64f0b88 - view on LGTM.com new alerts:
|
This pull request introduces 1 alert when merging 0d65210 into 64f0b88 - view on LGTM.com new alerts:
|
This PR contains a number of changes, the vast majority TLS related, although there are some minor fixes for the tests, some general code coverage improvement, some bug fixes for the worker statistics, etc.
The TLS support has been implemented via mbedTLS 2 and TLS is supported up to TLS 1.2, although TLS 1.3 should work it hasn't been fully tested. OpenSSL has been dropped from the build, although it's still needed for sentry, and some code used for the benchmarks (or to better say unused) that was using its big number implementation has been commented out because can't really be ported to openssl and needs rewriting.
The PR also contains the necessary changes to enable the kernel offload (kTLS) if the chosen cipher is supported, this considerably speed up the operations, especially if the network card supports tls offloading (e.g. mellanox connectx 6) or hardware encryption/decryption is supported.
3 new statistics have been introduced:
A new command line option has been introduced to make easy to enumerate the supported ciphers, it also indicates if kTLS is supported, e.g.
Code coverage is probably not great with this PR, will improve it in separated PRs.
Closes #152