From cb3fd012cd4c96cb635a5e82162bebc91e49b646 Mon Sep 17 00:00:00 2001
From: Willy Tarreau <w@1wt.eu>
Date: Wed, 28 Jan 2026 10:42:37 +0100
Subject: [PATCH] DOC: config: mention some possible TLS versions restrictions
 for kTLS

It took me one hour of trial and fail to figure that kTLS and splicing
were not used only for reasons of TLS version, and that switching to
TLS v1.2 solved the issue. Thus, let's mention it in the doc so that
others find it more easily in the future.

This should be backported to 3.3.
---
 doc/configuration.txt | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/doc/configuration.txt b/doc/configuration.txt
index 8c798c06f..4de08f504 100644
--- a/doc/configuration.txt
+++ b/doc/configuration.txt
@@ -17220,7 +17220,9 @@ interface <interface>
 ktls <on|off> [ EXPERIMENTAL ]
   Enables or disables ktls for those sockets. If enabled, kTLS will be used
   if the kernel supports it and the cipher is compatible. This is only
-  available on Linux kernel 4.17 and above.
+  available on Linux kernel 4.17 and above. Please note that some network
+  drivers and/or TLS stacks might restrict kTLS usage to TLS v1.2 only. See
+  also "force-tlsv12".
 
 label <label>
   Sets an optional label for these sockets. It could be used group sockets by
@@ -18480,9 +18482,10 @@ See also: "option tcp-check", "option httpchk"
 ktls <on|off> [ EXPERIMENTAL ]
   May be used in the following contexts: tcp, http, log, peers, ring
 
-  Enables or disables ktls for those sockets. If enabled, kTLS will be used
-  if the kernel supports it and the cipher is compatible.
-  This is only available on Linux.
+  Enables or disables ktls for those sockets. If enabled, kTLS will be used if
+  the kernel supports it and the cipher is compatible. This is only available
+  on Linux 4.17 and above. Please note that some network drivers and/or TLS
+  stacks might restrict kTLS usage to TLS v1.2 only. See also "force-tlsv12".
 
 log-bufsize <bufsize>
   May be used in the following contexts: log
-- 
2.47.3