Table of contents of the article:
Transport Layer Security (TLS) is an extremely popular encryption protocol. Implementing TLS in the kernel (kTLS) improves performance by significantly reducing the need for copy operations between user space and the kernel.
The combination of kTLS and sendfile()
it means that the data is encrypted directly in kernel space, before being passed to the network stack for transmission. This eliminates the need to copy data into user space to be encrypted by TLS libraries and then back into kernel space for transmission. kTLS also allows TLS processing to be offloaded to hardware, including offloading TLS symmetric cryptographic processing to network devices .
Modern Linux and FreeBSD kernels support TLS offloading into the kernel, and now NGINX Open Source does too! NGINX 1.21.4 introduces support for kTLS when you need static files with SSL_sendfile()
, which can greatly improve performance. As described below, both the kernel and OpenSSL must be compiled with kTLS for NGINX to use SSL_sendfile()
.
In this blog we detail which operating system and versions of OpenSSL support kTLS and show how to build and configure the kernel and NGINX for kTLS. To give you an idea of the performance improvement you can expect from kTLS, we also share specifications and results from our tests on FreeBSD and Ubuntu.
Note: kTLS implementations are quite new and evolving rapidly. This blog describes support for kTLS starting November 2021, but keep an eye out for the announcements on nginx.org and the NGINX blog about changes to the information and instructions provided here.
General requirements
- Operating System - One of the following:
- FreeBSD 13.0+. As of November 2021, FreeBSD 13.0+ is the only operating system that supports kTLS in NGINX without a manual build of NGINX to incorporate OpenSSL 3.0.0+. You see Enable NGINX with kTLS on FreeBSD .
- A Linux distribution based on Linux kernel version 4.17 or later, although we recommend using those based on version 5.2 or later whenever possible. (KTLS support is actually available in version 4.13, but OpenSSL 3.0.0 requires kernel header version 4.17 or later.)
- OpenSSL - Version 3.0.0 or later
- NGINX - Version 1.21.4 or later
Performance improvement with kTLS
When serving static files under heavy load conditions, SSL_sendfile()
is possible increase throughput to 2 times the user space TLS, but the size of the performance increase depends significantly on various factors (disk performance, system load, etc.). You can also reduce CPU usage if your network adapter supports TLS offload.
Riepilogo
NGINX 1.21.4 introduces support for kTLS when serving static files with SSL_sendfile()
. Our tests show that performance improves between 8% and 29%, depending on the operating system.