compio-ktls

Kernel TLS (kTLS) support for Compio.

Overview

• Built on top of ktls-core
• Not tied to any specific Compio runtime implementation
• Pluggable TLS implementations (currently supports Rustls)
• Currently supports TLS 1.3 only
• Supports NewSessionTicket, KeyUpdate, and Alert message handling
• Supports splitting KtlsStream into read/write halves for concurrent I/O

Features

• rustls (default): Enable Rustls integration
• ring: Use ring as the crypto backend
• app-write-with-empty-ancillary: Use write_with_ancillary() instead of write() for application data writes. compio-rs/compio#756 introduced zero-copy writes for io-uring, which changed the default behavior of write() in a way that breaks on kTLS-enabled sockets. Enable this feature when using io-uring to work around the conflict between zero-copy writes and kTLS.
• sync: Use thread-safe locks for the split read/write halves. By default, single-threaded (unsync) locks are used. Enable this feature if you need to use the split halves across threads.

Usage

use compio_ktls::{KtlsConnector, KtlsAcceptor};

// Client side
let connector = KtlsConnector::from(client_config);
match connector.connect("example.com", tcp_stream).await? {
    Ok(stream) => {
        // kTLS enabled successfully
    }
    Err(stream) => {
        // kTLS unavailable, fallback to original stream
    }
}

// Server side
let acceptor = KtlsAcceptor::from(server_config);
match acceptor.accept(tcp_stream).await? {
    Ok(stream) => {
        // kTLS enabled successfully
    }
    Err(stream) => {
        // kTLS unavailable, fallback to original stream
    }
}

You can split a KtlsStream into independent read and write halves for concurrent I/O:

use compio::io::util::Splittable;

let (mut reader, mut writer) = stream.split();
// Now reader and writer can be used concurrently

Requirements

Requires Linux kernel with kTLS support, version 6.6 LTS or newer is recommended.

Check if the kTLS module is loaded:

lsmod | grep tls

If not loaded, you can manually load it:

sudo modprobe tls

Also requires Rustls with enable_secret_extraction enabled:

use std::sync::Arc;
use rustls::ClientConfig;

let mut config = ClientConfig::builder()
    .dangerous()
    .with_custom_certificate_verifier(/* ... */)
    .with_no_client_auth();

config.enable_secret_extraction = true;

let config = Arc::new(config);

License

Licensed under either of:

• Apache License, Version 2.0
• Mulan Permissive Software License, Version 2

SPDX-License-Identifier: Apache-2.0 OR MulanPSL-2.0