diff --git a/apps/s_client.c b/apps/s_client.c index 3b9be0e8c2..6ccb7a42d0 100644 --- a/apps/s_client.c +++ b/apps/s_client.c @@ -467,6 +467,7 @@ typedef enum OPTION_choice { OPT_DANE_TLSA_RRDATA, OPT_DANE_EE_NO_NAME, OPT_ENABLE_PHA, OPT_SCTP_LABEL_BUG, + OPT_KTLS, OPT_R_ENUM, OPT_PROV_ENUM } OPTION_CHOICE; @@ -664,6 +665,9 @@ const OPTIONS s_client_options[] = { {"srp_strength", OPT_SRP_STRENGTH, 'p', "(deprecated) Minimal length in bits for N"}, #endif +#ifndef OPENSSL_NO_KTLS + {"ktls", OPT_KTLS, '-', "Enable Kernel TLS for sending and receiving"}, +#endif OPT_R_OPTIONS, OPT_S_OPTIONS, @@ -888,6 +892,9 @@ int s_client_main(int argc, char **argv) int sctp_label_bug = 0; #endif int ignore_unexpected_eof = 0; +#ifndef OPENSSL_NO_KTLS + int enable_ktls = 0; +#endif FD_ZERO(&readfds); FD_ZERO(&writefds); @@ -1457,6 +1464,11 @@ int s_client_main(int argc, char **argv) case OPT_ENABLE_PHA: enable_pha = 1; break; + case OPT_KTLS: +#ifndef OPENSSL_NO_KTLS + enable_ktls = 1; +#endif + break; } } @@ -1700,6 +1712,10 @@ int s_client_main(int argc, char **argv) if (ignore_unexpected_eof) SSL_CTX_set_options(ctx, SSL_OP_IGNORE_UNEXPECTED_EOF); +#ifndef OPENSSL_NO_KTLS + if (enable_ktls) + SSL_CTX_set_options(ctx, SSL_OP_ENABLE_KTLS); +#endif if (vpmtouched && !SSL_CTX_set1_param(ctx, vpm)) { BIO_printf(bio_err, "Error setting verify params\n"); diff --git a/doc/man1/openssl-s_client.pod.in b/doc/man1/openssl-s_client.pod.in index 6328cd07d9..709bc49375 100644 --- a/doc/man1/openssl-s_client.pod.in +++ b/doc/man1/openssl-s_client.pod.in @@ -116,6 +116,7 @@ B B [B<-srp_lateuser>] [B<-srp_moregroups>] [B<-srp_strength> I] +[B<-ktls>] {- $OpenSSL::safe::opt_name_synopsis -} {- $OpenSSL::safe::opt_version_synopsis -} {- $OpenSSL::safe::opt_x_synopsis -} @@ -765,6 +766,12 @@ Tolerate other than the known B and B values. Set the minimal acceptable length, in bits, for B. This option is deprecated. +=item B<-ktls> + +Enable Kernel TLS for sending and receiving. +This option was introduced in OpenSSL 3.1.0. +Kernel TLS is off by default as of OpenSSL 3.1.0. + {- $OpenSSL::safe::opt_version_item -} {- $OpenSSL::safe::opt_name_item -}