- python https://docs.python.org/3.12/library/ssl.html#ssl.OP_ENABLE_KTLS
- golang: golang/go#44506
- references
gcloud compute instances create ktls \
--zone=us-central1-a \
--machine-type=e2-highcpu-8 \
--maintenance-policy=MIGRATE \
--provisioning-model=STANDARD \
--scopes=https://www.googleapis.com/auth/cloud-platform \
--create-disk=auto-delete=yes,boot=yes,device-name=ktls,image=projects/ubuntu-os-cloud/global/images/ubuntu-2204-jammy-v20230429,mode=rw,size=100
gcloud compute ssh ktls
$ lsmod | grep tls
tls 114688 0
apt-get update && apt-get install gcc build-essential git \
wget curl vim libpcre3 libpcre3-dev zlib1g zlib1g-dev kmod \
libunwind-dev zip -y
git clone https://github.com/openssl/openssl.git
cd openssl
./config enable-ssl-trace enable-ktls && make -j`nproc` && make install
export LD_LIBRARY_PATH=/usr/local/lib64/:$LD_LIBRARY_PATH
export OPENSSL_CONF=/usr/local/ssl/openssl.cnf
root@ktls1:~# which openssl
/usr/local/bin/openssl
openssl version -aedit /usr/local/ssl/openssl.cnf, add at top
OPTIONS = KTLS
git clone https://github.com/python/cpython.git --branch v3.12.0b1
cd cpython/
./configure --enable-optimizations
make -j`nproc` && make install
# you should see '8'; you may need to reload the shell
# exit
# sudo su -
python3 -c "import ssl; print(ssl.OP_ENABLE_KTLS)"
8create client.py
import socket
import ssl
# python3 -m pip install urllib3
# from urllib3 import PoolManager
# from urllib3.util import create_urllib3_context
hostname = 'httpbin.org'
ctx = ssl.create_default_context()
ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
ctx.options |= ssl.OP_ENABLE_KTLS
ctx.check_hostname = False
ctx.verify_mode = ssl.CERT_NONE
packet = "GET /get HTTP/1.0\n\n"
with socket.create_connection((hostname, 443)) as sock:
with ctx.wrap_socket(sock, server_hostname=hostname) as ssock:
print(ssock.version())
ssock.send(packet.encode('utf-8'))
print(ssock.recv(1280))
ssock.close()
# url = 'https://httpbin.org/get'
# with PoolManager(ssl_context=ctx) as pool:
# resp = pool.request('GET', url, headers={'content-type': 'text/plain'})
# print(resp.data)
# print('done')then run with strace enabled
python3 -m pip install urllib3
strace python3 client.py 2>strace_output.txt
cat strace_output.txt | grep setsockopt
you sould see
setsockopt(3, SOL_IP, IP_RECVERR, [1], 4) = 0
setsockopt(3, SOL_TCP, TCP_ULP, [7564404], 4) = 0
setsockopt(3, SOL_TLS, TLS_TX, "\3\0033\0\n:;M\\\271\203\376\256\24W\274\205\231\20\36\345R\374>>\33\203+\205\20\vP"..., 40) = 0
setsockopt(3, SOL_TLS, TLS_RX, "\3\0033\0\0\0\0\0\0\0\0\0s\250\211VC\277\2\213\35\3306%\336d\262\240M\3\306\254"..., 40) = 0
wget -O server_crt.pem https://raw.githubusercontent.com/salrashid123/squid_proxy/master/server_crt.pem
wget -O server_key.pem https://raw.githubusercontent.com/salrashid123/squid_proxy/master/server_key.pem
wget -O tls-ca.crt https://raw.githubusercontent.com/salrashid123/squid_proxy/master/tls-ca.crt
echo foo > index.html
openssl s_server \
-ktls -sendfile -cert server_crt.pem \
-key server_key.pem \
-port 8443 \
-CAfile tls-ca.crt \
-tlsextdebug \
-tls1_2 \
-trace \
-WWW
openssl s_client -cipher 'ECDHE-RSA-AES256-GCM-SHA384' -tls1_2 --connect localhost:8443 -debuglocal server from here
gcc -o tls_server -std=gnu99 tls_server.c -L/usr/local/lib64 -lssl -lcrypto