X Tutup
Skip to content

gh-96828: Add an ssl.OP_ENABLE_KTLS option#96830

Merged
gpshead merged 1 commit intopython:mainfrom
illia-v:feat-96828-ktls-option
Nov 24, 2022
Merged

gh-96828: Add an ssl.OP_ENABLE_KTLS option#96830
gpshead merged 1 commit intopython:mainfrom
illia-v:feat-96828-ktls-option

Conversation

@illia-v
Copy link
Contributor

@illia-v illia-v commented Sep 14, 2022
edited by bedevere-bot
Loading

@gpshead gpshead requested a review from tiran October 10, 2022 22:16
gpshead
gpshead approved these changes Oct 10, 2022
View reviewed changes
Copy link
Member

@gpshead gpshead left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I added @tiran to confirm we want this, otherwise this looks good.

@smontanaro
Copy link
Contributor

smontanaro commented Nov 22, 2022

(I'm working my way through some PRs which have been approved and are labeled "awaiting merge", hence my seemingly bolt from the blue comment. Why? Read here.)

@tiran? Do you have anything to add?

@tiran
Copy link
Member

tiran commented Nov 23, 2022

Is there any benefit in using KTLS without SSL_sendfile at all? Did you test that the feature actually works with Python's ssl module? It's definitely incompatible with MemoryBIO / asyncio.

@illia-v
Copy link
Contributor Author

illia-v commented Nov 23, 2022

@tiran let me cite your colleagues to respond about the benefit 🙂:

With suitable NIC hardware the encryption operations can be offloaded, freeing time on the main CPUs for application usage. Without offload hardware, kTLS may still improve parallelism for applications as the kernel can perform encryption operations on a differen host CPU to that running the application threads

Also, I posted about SSL_sendfile on Discuss, your response will be valuable there.

I did a test using this code and new methods of _ssl._SSLSocket:
a30a9f8

import asyncio
import socket
import ssl

import certifi


def check_ktls(sslobj):
    print(f"kTLS read {sslobj.uses_ktls_for_read()}")
    print(f"kTLS write {sslobj.uses_ktls_for_write()}")


hostname = "example.com"
request = b"GET /\r\n\r\n"

context = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
context.load_verify_locations(certifi.where(), None, None)
context.options |= ssl.OP_ENABLE_KTLS

with socket.create_connection((hostname, 443)) as sock:
    with context.wrap_socket(sock, server_hostname=hostname) as ssock:
        ssock.send(request)
        print(ssock.recv(20))
        print(ssock.cipher())
        check_ktls(ssock._sslobj)


print()


async def check():
    print("asyncio")
    reader, writer = await asyncio.open_connection(hostname, 443, ssl=context)
    writer.write(request)
    print(await reader.read(20))
    ssl_object = writer.transport.get_extra_info("ssl_object")
    print(ssl_object.cipher())
    check_ktls(ssl_object._sslobj)
    writer.close()


asyncio.run(check())

This was the result, kTLS was used for writing when asyncio was not used:

b'HTTP/1.0 404 Not Fou'
('TLS_AES_256_GCM_SHA384', 'TLSv1.3', 256)
kTLS read False
kTLS write True

asyncio
b'HTTP/1.0 404 Not Fou'
('TLS_AES_256_GCM_SHA384', 'TLSv1.3', 256)
kTLS read False
kTLS write False

@gpshead gpshead merged commit 9dc0836 into python:main Nov 24, 2022
@gpshead
Copy link
Member

gpshead commented Nov 24, 2022

Thanks!

@illia-v illia-v mentioned this pull request Nov 29, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@gpshead gpshead gpshead approved these changes

@tiran tiran Awaiting requested review from tiran

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Add an ssl.OP_ENABLE_KTLS option for enabling the use of the kernel TLS

5 participants

@illia-v @smontanaro @tiran @gpshead @bedevere-bot
X Tutup