为了使用 qat 的对称加密功能，禁用 Encrypt-then-MACfeature-ssl-support-async-for-qat

author: luwenpeng <[email protected]> 2020-01-08 17:27:39 +0800
committer: luwenpeng <[email protected]> 2020-07-08 18:01:00 +0800
commit: 84321b373645e251356b1db0fba6d192aed7be56 (patch)
tree: 8f0985dbb9b45e11900f28ea1752f262a6032692
parent: b9ba135dd939f7db894bb471fcd5d79bde75b72c (diff)
1 files changed, 13 insertions, 0 deletions
diff --git a/platform/src/ssl_stream.cpp b/platform/src/ssl_stream.cpp
index 024b4ab..173e1c7 100644
--- a/platform/src/ssl_stream.cpp
+++ b/platform/src/ssl_stream.cpp
@@ -1720,6 +1720,19 @@ static void sslctx_set_opts(SSL_CTX * sslctx, struct ssl_mgr * mgr)
 	if (mgr->enable_qat)
 	{
 		SSL_CTX_set_mode(sslctx, SSL_MODE_ASYNC);
+
+		// https://tools.ietf.org/html/rfc7366
+		//
+		// In OpenSSL 1.1.1e-dev, Encrypt-then-MAC was introduced for the first time
+		// in order to solve security problems, and it is enabled by default.
+		//
+		// This is causing Encrypted Then Mac to get negotiated. This means that the
+		// chained cipher is not negotiated and the AES operation and hashing operation
+		// are not offloaded individually. 
+		//
+		// However, here we have to disable ENCRYPT_THEN_MAC in order to improve the
+		// performance of visual qat acceleration.
+		SSL_CTX_set_options(sslctx, SSL_OP_NO_ENCRYPT_THEN_MAC);
 	}
 }
author	luwenpeng <[email protected]>	2020-01-08 17:27:39 +0800
committer	luwenpeng <[email protected]>	2020-07-08 18:01:00 +0800
commit	84321b373645e251356b1db0fba6d192aed7be56 (patch)
tree	8f0985dbb9b45e11900f28ea1752f262a6032692
parent	b9ba135dd939f7db894bb471fcd5d79bde75b72c (diff)