From: Willy Tarreau Date: Wed, 28 Jan 2026 09:42:37 +0000 (+0100) Subject: DOC: config: mention some possible TLS versions restrictions for kTLS X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=cb3fd012cd4c96cb635a5e82162bebc91e49b646;p=thirdparty%2Fhaproxy.git DOC: config: mention some possible TLS versions restrictions for kTLS It took me one hour of trial and fail to figure that kTLS and splicing were not used only for reasons of TLS version, and that switching to TLS v1.2 solved the issue. Thus, let's mention it in the doc so that others find it more easily in the future. This should be backported to 3.3. --- diff --git a/doc/configuration.txt b/doc/configuration.txt index 8c798c06f..4de08f504 100644 --- a/doc/configuration.txt +++ b/doc/configuration.txt @@ -17220,7 +17220,9 @@ interface ktls [ EXPERIMENTAL ] Enables or disables ktls for those sockets. If enabled, kTLS will be used if the kernel supports it and the cipher is compatible. This is only - available on Linux kernel 4.17 and above. + available on Linux kernel 4.17 and above. Please note that some network + drivers and/or TLS stacks might restrict kTLS usage to TLS v1.2 only. See + also "force-tlsv12". label