The kssl framework was intended to facilitate in-kernel offloading of the SSL operations required for the NCA (network cache accelerator.)
The purpose of this was to accelerate serving static web page content. It was invented during the early 2000s, when system were different and in-kernel mechanisms were needed. It also dates back before Solaris 10 fire engine, and even sendfile, when getting content to an HTTP server in user land was a lot more expensive.
However, kssl itself has not been maintained at all, and it only supports long since obsolete protocols. We don't believe it is in use anywhere, and we most emphatically believe it should NOT be in use, because the only versions of the SSL protocol it supports are widely understood to be insecure.
We should just remove it.
Updated by Dan McDonald 5 months ago
Updated by Joshua M. Clulow 5 months ago
Testing Notes (from RTI mail)¶
As nothing uses it, and this is a removal, testing has been limited to build, and booting, a version of these changes. (The version is somewhat modified to allow for conflicts in various things, but the net effect is that there are no vestiges of kssl anywhere.) A quick check for the existence of kssl (which is normally loaded by default in the current version) ensures that it is not present.
Updated by Electric Monk 5 months ago
- Status changed from Pending RTI to Closed
- % Done changed from 90 to 100
commit 7d10cd4ddf12f982d3bc7edcd01cc8b8d1dcc464 Author: Garrett D'Amore <firstname.lastname@example.org> Date: 2022-07-01T23:58:10.000Z 14767 retire kssl Reviewed by: Toomas Soome <email@example.com> Reviewed by: Peter Tribble <firstname.lastname@example.org> Reviewed by: Igor Kozhukhov <email@example.com> Approved by: Joshua M. Clulow <firstname.lastname@example.org>