Comment by jeroenhd

3 years ago

The Linux kernel exposes TLS but very few people actually use it. On some hardware it can make TLS significantly faster, but on beefier hardware I doubt you'll notice the improvement much. At the cost of rewriting your entire network stack, I don't think it makes sense for many tools to switch to it.

I'd argue that the Windows crypto system and openssl really aren't all that different, concept wise. In theory you can ship Linux without openssl but in theory you can remove the Windows cryptography library too if you remove all of its dependencies. In both cases you'll be left with a barebones system where only statically compiled tools can talk to the modern web.

1 comment

jeroenhd

Reply
aaronmdjones  3 years ago

The Linux kernel only handles the TLS record layer. It's enough to use sendfile(2) on a TLS socket and that's all -- that's why it was added. Userland is still responsible for the TLS session negotiation and handing off the cryptographic keying material and parameters to the kernel; you still need a userland TLS library like OpenSSL.