Re: [PATCH v4 0/3] tls: Add TLS 1.3 hardware offload support
From: Rishikesh Jethwani <hidden>
Date: 2026-01-26 23:37:34
On Fri, Jan 23, 2026 at 11:05 AM Rishikesh Jethwani [off-list ref] wrote:
On Thu, Jan 22, 2026 at 11:22 AM Rishikesh Jethwani [off-list ref] wrote:quoted
quoted
Hi Rishikesh, This version doesn't compile for us. A few comments that we wanted to share on V3, but I'll share here as this is the latest: We tested V3 and a few issues were spotted. We did not debug them though... We run a server/client test with nginx and wrk. a. When requesting 128-bit key, ss output shows "cipher: aes-gcm-256" for the respective connection. For TLS 1.2 it works fine. b. On the wrk side, the mlx5 rx_tls_ctx did not increase (meaning no offloaded connections were opened). It works fine on the nginx side however... For TLS 1.2 it works fine. We can share more info if needed. Regards, TariqHi Tariq, I have fixed the typo leading to compile errors in V5. Could you please share more info. about the setup and test, so that I can try to reproduce the issue? Thanks, RishikeshHI Tariq, Did you run SW TLS 1.3 in your environment?
Hi Tariq,
I tested TLS 1.3 hardware offload with nginx and wrk. The ss output
shows the correct cipher, and hardware counters confirm TX/RX offload
is working as expected.
AES-256-GCM:
nginx.conf:
ssl_protocols TLSv1.3;
ssl_conf_command Ciphersuites TLS_AES_256_GCM_SHA384;
ssl_conf_command Options KTLS;
# ss -tnei 'sport = :16443 or dport = :16443' | grep -i cipher
version: 1.3 cipher: aes-gcm-256
AES-128-GCM:
nginx.conf:
ssl_protocols TLSv1.3;
ssl_conf_command Ciphersuites TLS_AES_128_GCM_SHA256;
ssl_conf_command Options KTLS;
# ss -tnei 'sport = :16443 or dport = :16443' | grep -i cipher
version: 1.3 cipher: aes-gcm-128
Both ciphers report correctly. I suspect there may be a configuration
issue on your setup. Let me know if you need help debugging.
Regards,
Rishikesh