February 4 2022

NGINX performance improvement with kernel TLS and SSL_sendfile ()

Move the cryptographic implementation from user space to kernel space.


Transport Layer Security (TLS) is an extremely popular encryption protocol. Implementing TLS in the kernel (kTLS) improves performance by significantly reducing the need for copy operations between user space and the kernel.

The combination of kTLS and sendfile()it means that the data is encrypted directly in kernel space, before being passed to the network stack for transmission. This eliminates the need to copy data into user space to be encrypted by TLS libraries and then back into kernel space for transmission. kTLS also allows TLS processing to be offloaded to hardware, including offloading TLS symmetric cryptographic processing to network devices .

Modern Linux and FreeBSD kernels support TLS offloading into the kernel, and now NGINX Open Source does too! NGINX 1.21.4 introduces support for kTLS when you need static files with SSL_sendfile(), which can greatly improve performance. As described below, both the kernel and OpenSSL must be compiled with kTLS for NGINX to use SSL_sendfile().

In this blog we detail which operating system and versions of OpenSSL support kTLS and show how to build and configure the kernel and NGINX for kTLS. To give you an idea of ​​the performance improvement you can expect from kTLS, we also share specifications and results from our tests on FreeBSD and Ubuntu.

Note: kTLS implementations are quite new and evolving rapidly. This blog describes support for kTLS starting November 2021, but keep an eye out for the announcements on nginx.org and NGINX blog about changes to the information and instructions provided here.

General requirements

  • Operating System - One of the following:
    • FreeBSD 13.0+. As of November 2021, FreeBSD 13.0+ is the only operating system that supports kTLS in NGINX without a manual build of NGINX to incorporate OpenSSL 3.0.0+. You see Enable NGINX with kTLS on FreeBSD .
    • A Linux distribution based on Linux kernel version 4.17 or later, although we recommend using those based on version 5.2 or later whenever possible. (KTLS support is actually available in version 4.13, but OpenSSL 3.0.0 requires kernel header version 4.17 or later.)
  • OpenSSL - Version 3.0.0 or later
  • NGINX - Version 1.21.4 or later

Performance improvement with kTLS

When serving static files under heavy load conditions, SSL_sendfile()it's possible increase throughput to 2 times the user space TLS, but the size of the performance increase depends significantly on various factors (disk performance, system load, etc.). You can also reduce CPU usage if your network adapter supports TLS offload.


NGINX 1.21.4 introduces support for kTLS when serving static files with SSL_sendfile(). Our tests show that performance improves between 8% and 29%, depending on the operating system.


Do you have doubts? Not sure where to start? Contact us

We have all the answers to your questions to help you make the right choice.

Chat with us

Chat directly with our presales support.


Contact us by phone during office hours 9:30 - 19:30

Contact us online

Open a request directly in the contact area.


ManagedServer.it is the leading Italian provider of high performance hosting solutions. Our subscription model is affordable and predictable, so customers can access our reliable hosting technologies, dedicated servers and the cloud. ManagedServer.it also offers excellent support and consulting services on Hosting of the main Open Source CMS such as WordPress, WooCommerce, Drupal, Prestashop, Magento.

Scroll to Top