Motivation. vanilla-epoll already serves plaintext static zero-copy via sendfile (queue_file). The 2026 gold standard for HTTPS static is kTLS + SSL_sendfile: move the TLS record layer into the kernel (setsockopt(SOL_TCP, TCP_ULP, "tls") + TLS_TX) so a file can be sent over TLS without the userspace encrypt round-trip — the Netflix model. (Software kTLS still encrypts in-kernel — not byte-copy-free — but removes the userspace round-trip; nginx reports ~8–16% on Linux. True zero-copy needs NIC inline TLS offload, which never engages on loopback.)
What to investigate / build.
- vanilla's TLS path is mbedTLS (
backend_epoll/tls_conn_linux.c.v), not OpenSSL. The hard part is exporting the negotiated symmetric keys after the handshake and pushing them to the kernel ULP (TLS_TX/TLS_RX crypto_info). Confirm mbedTLS can export keys (or gate kTLS behind an OpenSSL-backed TLS option).
- Once the socket is a kTLS socket, the existing
queue_file/sendfile body path streams the asset and the kernel frames+encrypts it (16 KiB records).
- Cipher gating: kTLS supports AES-GCM-128/256, AES-CCM-128, ChaCha20-Poly1305; handshake/alerts/KeyUpdate stay in userspace.
Validation. Loopback only exercises software kTLS (TlsTxSw in /proc/net/tls_stat), no NIC offload — so measure the userspace-round-trip removal locally; true offload needs a real NIC (see the real-NIC issue).
Context: zero-copy landscape study + the C PoC in this campaign. Relates to the json-tls arena profile.
Motivation. vanilla-epoll already serves plaintext static zero-copy via
sendfile(queue_file). The 2026 gold standard for HTTPS static is kTLS +SSL_sendfile: move the TLS record layer into the kernel (setsockopt(SOL_TCP, TCP_ULP, "tls")+TLS_TX) so a file can be sent over TLS without the userspace encrypt round-trip — the Netflix model. (Software kTLS still encrypts in-kernel — not byte-copy-free — but removes the userspace round-trip; nginx reports ~8–16% on Linux. True zero-copy needs NIC inline TLS offload, which never engages on loopback.)What to investigate / build.
backend_epoll/tls_conn_linux.c.v), not OpenSSL. The hard part is exporting the negotiated symmetric keys after the handshake and pushing them to the kernel ULP (TLS_TX/TLS_RXcrypto_info). Confirm mbedTLS can export keys (or gate kTLS behind an OpenSSL-backed TLS option).queue_file/sendfile body path streams the asset and the kernel frames+encrypts it (16 KiB records).Validation. Loopback only exercises software kTLS (
TlsTxSwin/proc/net/tls_stat), no NIC offload — so measure the userspace-round-trip removal locally; true offload needs a real NIC (see the real-NIC issue).Context: zero-copy landscape study + the C PoC in this campaign. Relates to the
json-tlsarena profile.