mirror of
https://git.FreeBSD.org/src.git
synced 2024-10-18 02:19:39 +00:00
nfs tls: Update for SSL_OP_ENABLE_KTLS.
Upstream OpenSSL (and the KTLS backport) have switched to an opt-in
option (SSL_OP_ENABLE_KTLS) in place of opt-out modes
(SSL_MODE_NO_KTLS_TX and SSL_MODE_NO_KTLS_RX) for controlling kernel
TLS.
Reviewed by: rmacklem
Sponsored by: Netflix
Differential Revision: https://reviews.freebsd.org/D31445
(cherry picked from commit c7bb0f47f7
)
This commit is contained in:
parent
784459fc16
commit
df8406ca0f
@ -573,9 +573,14 @@ rpctls_setupcl_ssl(void)
|
||||
SSL_OP_NO_TLSv1_1 | SSL_OP_NO_TLSv1_2;
|
||||
#else
|
||||
flags = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1_3;
|
||||
#endif
|
||||
#ifdef SSL_OP_ENABLE_KTLS
|
||||
flags |= SSL_OP_ENABLE_KTLS;
|
||||
#endif
|
||||
SSL_CTX_set_options(ctx, flags);
|
||||
#ifdef SSL_MODE_NO_KTLS_TX
|
||||
SSL_CTX_clear_mode(ctx, SSL_MODE_NO_KTLS_TX | SSL_MODE_NO_KTLS_RX);
|
||||
#endif
|
||||
return (ctx);
|
||||
}
|
||||
|
||||
|
@ -636,7 +636,12 @@ rpctls_setup_ssl(const char *certdir)
|
||||
SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER,
|
||||
rpctls_verify_callback);
|
||||
}
|
||||
#ifdef SSL_OP_ENABLE_KTLS
|
||||
SSL_CTX_set_options(ctx, SSL_OP_ENABLE_KTLS);
|
||||
#endif
|
||||
#ifdef SSL_MODE_NO_KTLS_TX
|
||||
SSL_CTX_clear_mode(ctx, SSL_MODE_NO_KTLS_TX | SSL_MODE_NO_KTLS_RX);
|
||||
#endif
|
||||
return (ctx);
|
||||
}
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user