MINOR: ssl: Add a way to globally disable ktls.

Add a new global option, "noktls", as well as a command line option, "-dT", to totally disable ktls usage, even if it is activated on servers or binds in the configuration. That makes it easier to quickly figure out if a problem is related to ktls or not.
2025-09-20 13:21:29 +02:00 · 2025-08-13 16:34:10 +00:00 · 2025-08-13 16:34:10 +00:00 · 6f21c5631a
commit 6f21c5631a
parent 5da3540988
6 changed files with 36 additions and 2 deletions
--- a/doc/configuration.txt
+++ b/doc/configuration.txt
@ -1819,6 +1819,7 @@ The following keywords are supported in the "global" section :
   - noevports
   - nogetaddrinfo
   - nokqueue
+   - noktls
   - nopoll
   - noreuseport
   - nosplice
@ -3791,6 +3792,10 @@ nokqueue
  equivalent to the command-line argument "-dk". The next polling system
  used will generally be "poll". See also "nopoll".

+noktls
+  Disables the use of ktls. It is equivalent to the command line argument
+  "-dT".
+
 nopoll
  Disables the use of the "poll" event polling system. It is equivalent to the
  command-line argument "-dp". The next polling system used will be "select".
--- a/doc/management.txt
+++ b/doc/management.txt
@ -390,6 +390,10 @@ list of options is :
    using strace to see the forwarded data (which do not appear when using
    splice()).

+  -dT : disable the use of ktls. It is equivalent to the "global" section's
+   keyword "noktls". It is mostly useful when suspecting a bug related to
+   ktls.
+
  -dV : disable SSL verify on the server side. It is equivalent to having
    "ssl-server-verify none" in the "global" section. This is useful when
    trying to reproduce production issues out of the production
--- a/include/haproxy/global-t.h
+++ b/include/haproxy/global-t.h
@ -85,6 +85,7 @@
 #define GTUNE_LISTENER_MQ_FAIR   (1<<27)
 #define GTUNE_LISTENER_MQ_OPT    (1<<28)
 #define GTUNE_LISTENER_MQ_ANY    (GTUNE_LISTENER_MQ_FAIR | GTUNE_LISTENER_MQ_OPT)
+#define GTUNE_NO_KTLS            (1<<29)

 /* subsystem-specific debugging options for tune.debug */
 #define GDBG_CPU_AFFINITY           (1U<< 0)
--- a/src/cfgparse-global.c
+++ b/src/cfgparse-global.c
@ -990,6 +990,21 @@ static int cfg_parse_global_mode(char **args, int section_type,
 	return 0;
 }

+static int cfg_parse_global_disable_ktls(char **args, int section_type,
+					 struct proxy *curpx, const struct proxy *defpx,
+					 const char *file, int line, char **err)
+{
+	if (!(global.mode & MODE_DISCOVERY))
+                return 0;
+
+	if (too_many_args(0, args, err, NULL))
+		return -1;
+
+	global.tune.options |= GTUNE_NO_KTLS;
+
+	return 0;
+}
+
 /* Disable certain poller if set */
 static int cfg_parse_global_disable_poller(char **args, int section_type,
 					   struct proxy *curpx, const struct proxy *defpx,
@ -1767,6 +1782,7 @@ static struct cfg_kw_list cfg_kws = {ILH, {
 	{ CFG_GLOBAL, "noepoll", cfg_parse_global_disable_poller, KWF_DISCOVERY },
 	{ CFG_GLOBAL, "noevports", cfg_parse_global_disable_poller, KWF_DISCOVERY },
 	{ CFG_GLOBAL, "nokqueue", cfg_parse_global_disable_poller, KWF_DISCOVERY },
+	{ CFG_GLOBAL, "noktls", cfg_parse_global_disable_ktls, KWF_DISCOVERY },
 	{ CFG_GLOBAL, "nopoll", cfg_parse_global_disable_poller, KWF_DISCOVERY },
 	{ CFG_GLOBAL, "pidfile", cfg_parse_global_pidfile, KWF_DISCOVERY },
 	{ CFG_GLOBAL, "prealloc-fd", cfg_parse_prealloc_fd },
--- a/src/haproxy.c
+++ b/src/haproxy.c
@ -708,6 +708,9 @@ static void usage(char *name)
 		"        -dF disable fast-forward\n"
 		"        -dI enable insecure fork\n"
 		"        -dZ disable zero-copy forwarding\n"
+#if defined(HA_USE_KTLS)
+		"        -dT disable kTLS\n"
+#endif
 		"        -sf/-st [pid ]* finishes/terminates old pids.\n"
 		"        -x <unix_socket> get listening sockets from a unix socket\n"
 		"        -S <bind>[,<bind options>...] new master CLI\n"
@ -1588,6 +1591,11 @@ static void init_args(int argc, char **argv)
 					trace_parse_cmd(NULL, NULL);
 				}
 			}
+#ifdef HA_USE_KTLS
+			else if (*flag == 'd' && flag[1] == 'T') {
+				global.tune.options |= GTUNE_NO_KTLS;
+			}
+#endif
 			else if (*flag == 'd')
 				arg_mode |= MODE_DEBUG;
 			else if (*flag == 'c' && flag[1] == 'c') {
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@ -5420,7 +5420,7 @@ static int ssl_sock_init(struct connection *conn, void **xprt_ctx)
 		HA_RWLOCK_RDUNLOCK(SSL_SERVER_LOCK, &srv->ssl_ctx.lock);

 #ifdef HA_USE_KTLS
-		if (srv->ssl_ctx.options & SRV_SSL_O_KTLS) {
+		if ((srv->ssl_ctx.options & SRV_SSL_O_KTLS) && !(global.tune.options & GTUNE_NO_KTLS)) {
 #ifdef HAVE_VANILLA_OPENSSL
 			SSL_set_options(ctx->ssl, SSL_OP_ENABLE_KTLS);
 #endif
@ -5465,7 +5465,7 @@ static int ssl_sock_init(struct connection *conn, void **xprt_ctx)
 #endif

 #ifdef HA_USE_KTLS
-		if (bc->ssl_conf.ktls) {
+		if (bc->ssl_conf.ktls && !(global.tune.options & GTUNE_NO_KTLS)) {
 #ifdef HAVE_VANILLA_OPENSSL
 			SSL_set_options(ctx->ssl, SSL_OP_ENABLE_KTLS);
 #endif