| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <aPdwGJGUxhqiocBX@horms.kernel.org> Date: Tue, 21 Oct 2025 12:35:52 +0100 From: Simon Horman <horms@...nel.org> To: Wilfred Mallawa <wilfred.opensource@...il.com> Cc: netdev@...r.kernel.org, linux-doc@...r.kernel.org, linux-kernel@...r.kernel.org, linux-kselftest@...r.kernel.org, "David S . Miller" <davem@...emloft.net>, Eric Dumazet <edumazet@...gle.com>, Jakub Kicinski <kuba@...nel.org>, Paolo Abeni <pabeni@...hat.com>, Jonathan Corbet <corbet@....net>, John Fastabend <john.fastabend@...il.com>, Sabrina Dubroca <sd@...asysnail.net>, Shuah Khan <shuah@...nel.org>, Wilfred Mallawa <wilfred.mallawa@....com> Subject: Re: [PATCH net-next v7 1/2] net/tls: support setting the maximum payload size On Tue, Oct 21, 2025 at 07:29:17PM +1000, Wilfred Mallawa wrote: ... > diff --git a/Documentation/networking/tls.rst b/Documentation/networking/tls.rst > index 36cc7afc2527..ecaa7631ec46 100644 > --- a/Documentation/networking/tls.rst > +++ b/Documentation/networking/tls.rst > @@ -280,6 +280,28 @@ If the record decrypted turns out to had been padded or is not a data > record it will be decrypted again into a kernel buffer without zero copy. > Such events are counted in the ``TlsDecryptRetry`` statistic. > > +TLS_TX_MAX_PAYLOAD_LEN > +~~~~~~~~~~~~~~~~~~~~~~ > + > +Specifies the maximum size of the plaintext payload for transmitted TLS records. > + > +When this option is set, the kernel enforces the specified limit on all outgoing > +TLS records. No plaintext fragment will exceed this size. This option can be used > +to implement the TLS Record Size Limit extension [1]. > + - For TLS 1.2, the value corresponds directly to the record size limit. Hi Wilfred, Unfortunately make htmldocs seems unhappy with the line above. .../tls.rst:291: ERROR: Unexpected indentation. [docutils] This was with Sphinx 8.1.3. > + - For TLS 1.3, the value should be set to record_size_limit - 1, since > + the record size limit includes one additional byte for the ContentType > + field. > + > +The valid range for this option is 64 to 16384 bytes for TLS 1.2, and 63 to > +16384 bytes for TLS 1.3. The lower minimum for TLS 1.3 accounts for the > +extra byte used by the ContentType field. > + > +For TLS 1.3, getsockopt() will return the total plaintext fragment length, > +inclusive of the ContentType field. > + > +[1] https://datatracker.ietf.org/doc/html/rfc8449 > + > Statistics > ========== ...
Powered by blists - more mailing lists