diff options
| -rw-r--r-- | platform/src/ssl_stream.cpp | 13 |
1 files changed, 13 insertions, 0 deletions
diff --git a/platform/src/ssl_stream.cpp b/platform/src/ssl_stream.cpp index 024b4ab..173e1c7 100644 --- a/platform/src/ssl_stream.cpp +++ b/platform/src/ssl_stream.cpp @@ -1720,6 +1720,19 @@ static void sslctx_set_opts(SSL_CTX * sslctx, struct ssl_mgr * mgr) if (mgr->enable_qat) { SSL_CTX_set_mode(sslctx, SSL_MODE_ASYNC); + + // https://tools.ietf.org/html/rfc7366 + // + // In OpenSSL 1.1.1e-dev, Encrypt-then-MAC was introduced for the first time + // in order to solve security problems, and it is enabled by default. + // + // This is causing Encrypted Then Mac to get negotiated. This means that the + // chained cipher is not negotiated and the AES operation and hashing operation + // are not offloaded individually. + // + // However, here we have to disable ENCRYPT_THEN_MAC in order to improve the + // performance of visual qat acceleration. + SSL_CTX_set_options(sslctx, SSL_OP_NO_ENCRYPT_THEN_MAC); } } |