From: Olivier Houchard <ohouchard@haproxy.com>
Date: Wed, 13 Aug 2025 16:34:10 +0000 (+0000)
Subject: MINOR: ssl: Add a way to globally disable ktls.
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=refs%2Fheads%2F20250820-ktls;p=thirdparty%2Fhaproxy.git

MINOR: ssl: Add a way to globally disable ktls.

Add a new global option, "noktls", as well as a command line option,
"-dT", to totally disable ktls usage, even if it is activated on servers
or binds in the configuration.
That makes it easier to quickly figure out if a problem is related to
ktls or not.
---

diff --git a/doc/configuration.txt b/doc/configuration.txt
index 50269e8b4..a23554429 100644
--- a/doc/configuration.txt
+++ b/doc/configuration.txt
@@ -1819,6 +1819,7 @@ The following keywords are supported in the "global" section :
    - noevports
    - nogetaddrinfo
    - nokqueue
+   - noktls
    - nopoll
    - noreuseport
    - nosplice
@@ -3791,6 +3792,10 @@ nokqueue
   equivalent to the command-line argument "-dk". The next polling system
   used will generally be "poll". See also "nopoll".
 
+noktls
+  Disables the use of ktls. It is equivalent to the command line argument
+  "-dT".
+
 nopoll
   Disables the use of the "poll" event polling system. It is equivalent to the
   command-line argument "-dp". The next polling system used will be "select".
diff --git a/doc/management.txt b/doc/management.txt
index b45167b0d..1953f7fa7 100644
--- a/doc/management.txt
+++ b/doc/management.txt
@@ -390,6 +390,10 @@ list of options is :
     using strace to see the forwarded data (which do not appear when using
     splice()).
 
+  -dT : disable the use of ktls. It is equivalent to the "global" section's
+   keyword "noktls". It is mostly useful when suspecting a bug related to
+   ktls.
+
   -dV : disable SSL verify on the server side. It is equivalent to having
     "ssl-server-verify none" in the "global" section. This is useful when
     trying to reproduce production issues out of the production
diff --git a/include/haproxy/global-t.h b/include/haproxy/global-t.h
index cc1acef07..647f1a32c 100644
--- a/include/haproxy/global-t.h
+++ b/include/haproxy/global-t.h
@@ -85,6 +85,7 @@
 #define GTUNE_LISTENER_MQ_FAIR   (1<<27)
 #define GTUNE_LISTENER_MQ_OPT    (1<<28)
 #define GTUNE_LISTENER_MQ_ANY    (GTUNE_LISTENER_MQ_FAIR | GTUNE_LISTENER_MQ_OPT)
+#define GTUNE_NO_KTLS            (1<<29)
 
 /* subsystem-specific debugging options for tune.debug */
 #define GDBG_CPU_AFFINITY           (1U<< 0)
diff --git a/src/cfgparse-global.c b/src/cfgparse-global.c
index 7220ec0fa..c7203b76d 100644
--- a/src/cfgparse-global.c
+++ b/src/cfgparse-global.c
@@ -990,6 +990,21 @@ static int cfg_parse_global_mode(char **args, int section_type,
 	return 0;
 }
 
+static int cfg_parse_global_disable_ktls(char **args, int section_type,
+					 struct proxy *curpx, const struct proxy *defpx,
+					 const char *file, int line, char **err)
+{
+	if (!(global.mode & MODE_DISCOVERY))
+                return 0;
+
+	if (too_many_args(0, args, err, NULL))
+		return -1;
+
+	global.tune.options |= GTUNE_NO_KTLS;
+
+	return 0;
+}
+
 /* Disable certain poller if set */
 static int cfg_parse_global_disable_poller(char **args, int section_type,
 					   struct proxy *curpx, const struct proxy *defpx,
@@ -1767,6 +1782,7 @@ static struct cfg_kw_list cfg_kws = {ILH, {
 	{ CFG_GLOBAL, "noepoll", cfg_parse_global_disable_poller, KWF_DISCOVERY },
 	{ CFG_GLOBAL, "noevports", cfg_parse_global_disable_poller, KWF_DISCOVERY },
 	{ CFG_GLOBAL, "nokqueue", cfg_parse_global_disable_poller, KWF_DISCOVERY },
+	{ CFG_GLOBAL, "noktls", cfg_parse_global_disable_ktls, KWF_DISCOVERY },
 	{ CFG_GLOBAL, "nopoll", cfg_parse_global_disable_poller, KWF_DISCOVERY },
 	{ CFG_GLOBAL, "pidfile", cfg_parse_global_pidfile, KWF_DISCOVERY },
 	{ CFG_GLOBAL, "prealloc-fd", cfg_parse_prealloc_fd },
diff --git a/src/haproxy.c b/src/haproxy.c
index e0f196a34..52d93c228 100644
--- a/src/haproxy.c
+++ b/src/haproxy.c
@@ -708,6 +708,9 @@ static void usage(char *name)
 		"        -dF disable fast-forward\n"
 		"        -dI enable insecure fork\n"
 		"        -dZ disable zero-copy forwarding\n"
+#if defined(HA_USE_KTLS)
+		"        -dT disable kTLS\n"
+#endif
 		"        -sf/-st [pid ]* finishes/terminates old pids.\n"
 		"        -x <unix_socket> get listening sockets from a unix socket\n"
 		"        -S <bind>[,<bind options>...] new master CLI\n"
@@ -1588,6 +1591,11 @@ static void init_args(int argc, char **argv)
 					trace_parse_cmd(NULL, NULL);
 				}
 			}
+#ifdef HA_USE_KTLS
+			else if (*flag == 'd' && flag[1] == 'T') {
+				global.tune.options |= GTUNE_NO_KTLS;
+			}
+#endif
 			else if (*flag == 'd')
 				arg_mode |= MODE_DEBUG;
 			else if (*flag == 'c' && flag[1] == 'c') {
diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index f2766ae86..b82fda1b3 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -5420,7 +5420,7 @@ static int ssl_sock_init(struct connection *conn, void **xprt_ctx)
 		HA_RWLOCK_RDUNLOCK(SSL_SERVER_LOCK, &srv->ssl_ctx.lock);
 
 #ifdef HA_USE_KTLS
-		if (srv->ssl_ctx.options & SRV_SSL_O_KTLS) {
+		if ((srv->ssl_ctx.options & SRV_SSL_O_KTLS) && !(global.tune.options & GTUNE_NO_KTLS)) {
 #ifdef HAVE_VANILLA_OPENSSL
 			SSL_set_options(ctx->ssl, SSL_OP_ENABLE_KTLS);
 #endif
@@ -5465,7 +5465,7 @@ static int ssl_sock_init(struct connection *conn, void **xprt_ctx)
 #endif
 
 #ifdef HA_USE_KTLS
-		if (bc->ssl_conf.ktls) {
+		if (bc->ssl_conf.ktls && !(global.tune.options & GTUNE_NO_KTLS)) {
 #ifdef HAVE_VANILLA_OPENSSL
 			SSL_set_options(ctx->ssl, SSL_OP_ENABLE_KTLS);
 #endif