search

nodejs / help

:sparkles: Need help with Node.js? File an Issue here. :rocket:
1.45k stars 278 forks source link

Kernel TLS #4230

Closed grijjly closed 2 months ago

grijjly commented 12 months ago

Details

my kernel version is 5.12+ (ubuntu) i execute sudo modprobe tls i set secureOptions on https create server as 8 (8 is SSL_OP_ENABLE_KTLS) i use version 20+ which use openssl 3.0.7 but when i trace node, only setsockopt is TCP_NODELAY it does not activate ktls somehow,

Node.js version

v18.17.0

Example code

const https=require('https') const handleHttp=require('./http') const server=https.createServer({ key:fs.readFileSync('./suitable.live.key'), cert:fs.readFileSync('./suitable.live.pem'), ciphers: 'AES128-GCM-SHA256', secureOptions:984|536870912 },handleHttp) server.listen(443)

Operating system

linux ubuntu kernel version 5.12+

Scope

runtime

Module and version

Not applicable.

preveen-stack commented 12 months ago

cc @nodejs/crypto

Can you try setting secureOptions as described in this doc https://www.codexpedia.com/node-js/nodejs-tls-configuration-server-and-client-example/

secureOptions: constants.SSL_OP_NO_SSLv2 | ....
tniessen commented 12 months ago

@grijjly Are you using a custom build of OpenSSL with Node.js? The default compile-time configuration of OpenSSL disables KTLS, which means that it cannot be enabled at runtime.

civilianatpoint commented 12 months ago

@grijjly Are you using a custom build of OpenSSL with Node.js? The default compile-time configuration of OpenSSL disables KTLS, which means that it cannot be enabled at runtime.

how can i do that ? how to compile with ktls enabled sir ?

civilianatpoint commented 12 months ago

cc @nodejs/crypto

Can you try setting secureOptions as described in this doc https://www.codexpedia.com/node-js/nodejs-tls-configuration-server-and-client-example/

secureOptions: constants.SSL_OP_NO_SSLv2 | ....

i made right int value for that, only tls 1.2 working and i tested it with tls checker. i think problem is described by @tniessen

tniessen commented 12 months ago

how can i do that ? how to compile with ktls enabled sir ?

OpenSSL needs to be configured with enable-ktls. Then you should be able to link against that custom build of OpenSSL as described here, i.e., using --shared-openssl etc.

That might not be sufficient though, see https://github.com/openssl/openssl/issues/14595#issuecomment-801822348. In particular, I am not sure if we use a compatible BIO. cc @bnoordhuis

grijjly commented 10 months ago

@preveen-stack @tniessen update: i tried build node with ./configure --openssl-conf-name=enable-ktls (node v 20.0.8) i set secureOptions:984 also tried 8 but 984&8=8 cipher: force sha128gcm256 (i also validate that) also released default modprobe tls was already loaded because of recent nginx setup, but loaded anyway. i tried to send after https parsed on my endpoint i sent fs.write(fd,buffer) but got ssl error on browser then i thought maybe nodejs handle it somehow and responsed with res.end then checked sudo nano /proc/net/tls_stat: TlsCurrTxSw 0 TlsCurrRxSw 0 TlsCurrTxDevice 0 TlsCurrRxDevice 0 TlsTxSw 0 TlsRxSw 0

i think i made everything right but nodejs does not use something neccesary

info: in same instance i succesed ktls with nginx if someone need to know that

github-actions[bot] commented 3 months ago

It seems there has been no activity on this issue for a while, and it is being closed in 30 days. If you believe this issue should remain open, please leave a comment. If you need further assistance or have questions, you can also search for similar issues on Stack Overflow. Make sure to look at the README file for the most updated links.

github-actions[bot] commented 2 months ago

It seems there has been no activity on this issue for a while, and it is being closed. If you believe this issue should remain open, please leave a comment. If you need further assistance or have questions, you can also search for similar issues on Stack Overflow. Make sure to look at the README file for the most updated links.