Skip to content

kTLS + SSL_sendfile for zero-copy HTTPS static (vanilla-epoll TLS path) #76

Description

@enghitalo

Motivation. vanilla-epoll already serves plaintext static zero-copy via sendfile (queue_file). The 2026 gold standard for HTTPS static is kTLS + SSL_sendfile: move the TLS record layer into the kernel (setsockopt(SOL_TCP, TCP_ULP, "tls") + TLS_TX) so a file can be sent over TLS without the userspace encrypt round-trip — the Netflix model. (Software kTLS still encrypts in-kernel — not byte-copy-free — but removes the userspace round-trip; nginx reports ~8–16% on Linux. True zero-copy needs NIC inline TLS offload, which never engages on loopback.)

What to investigate / build.

  • vanilla's TLS path is mbedTLS (backend_epoll/tls_conn_linux.c.v), not OpenSSL. The hard part is exporting the negotiated symmetric keys after the handshake and pushing them to the kernel ULP (TLS_TX/TLS_RX crypto_info). Confirm mbedTLS can export keys (or gate kTLS behind an OpenSSL-backed TLS option).
  • Once the socket is a kTLS socket, the existing queue_file/sendfile body path streams the asset and the kernel frames+encrypts it (16 KiB records).
  • Cipher gating: kTLS supports AES-GCM-128/256, AES-CCM-128, ChaCha20-Poly1305; handshake/alerts/KeyUpdate stay in userspace.

Validation. Loopback only exercises software kTLS (TlsTxSw in /proc/net/tls_stat), no NIC offload — so measure the userspace-round-trip removal locally; true offload needs a real NIC (see the real-NIC issue).

Context: zero-copy landscape study + the C PoC in this campaign. Relates to the json-tls arena profile.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions