Cryptography: How OpenSSL 3.0 enables an app to create a special TLS Socket

Cryptography: How OpenSSL 3.0 enables an app to create a special TLS Socket

 
To learn more on cryptography check out my tutorial here

What is TLS?

 
TLS (Transport Layer Security) is a cryptographic protocol used to provide secure communication over the internet. It ensures that data exchanged between a client and server remains encrypted and protected from eavesdropping, tampering, and man-in-the-middle attacks. TLS is commonly used for secure web browsing (HTTPS), email, and other applications that require secure communication.
 

What is Kernel TLS?

 
Kernel TLS (KTLS) is a feature that allows the operating system kernel to handle TLS encryption and decryption operations. Traditionally, TLS operations are performed in user space i.e., inside your application via libraries like OpenSSL or GnuTLS. With KTLS, the kernel takes care of TLS operations, reducing the overhead of context switching between user space and kernel space. Why? :
 
  • Encrypting/decrypting large volumes of data is expensive.
  • The user-kernel switch (context switch) is also expensive.
  • Applications often just encrypt and send (or receive and decrypt) data. So doing this entirely in the kernel saves CPU cycles and system calls.
By offloading TLS operations to the kernel, KTLS can improve performance, reduce latency, and increase system efficiency. This is particularly beneficial for high-throughput and low-latency applications, such as:
  • High-performance web servers
  • Load balancers
  • Network appliances
 
Think of traditional TLS like this: "App writes plaintext → OpenSSL encrypts it in user space → Kernel sends encrypted bytes via TCP.”
 
With kTLS: "App writes plaintext → Kernel encrypts and sends it over TCP directly (after setup via OpenSSL)." So once the connection is set up, your application can just treat the socket like a raw TCP socket — the kernel handles the TLS part.
 

What is a TCP Socket?

 
A TCP socket is an endpoint for sending or receiving data across a TCP (Transmission Control Protocol) connection.
Think of It Like a Phone Call:
  • A socket is your phone.
  • The TCP protocol is the phone line (reliable, ordered communication).
  • A TCP socket allows two programs (often on different machines) to "call" each other and exchange data reliably.
 
In Technical Terms:
A TCP socket is:
  • A file descriptor created with socket(AF_INET, SOCK_STREAM, 0) in C (or socket.socket(socket.AF_INET, socket.SOCK_STREAM) in Python).
  • It supports:
    • Connection-oriented communication (needs connect() or accept()).
    • Byte-stream semantics (data arrives in order, without boundaries).
    • Reliable delivery (retries/loss recovery built-in).
 

Example of how to create a socket in Python

import socket s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) # Create a TCP socket s.connect(("example.com", 80)) # Connect to server s.sendall(b"GET / HTTP/1.1\r\nHost: example.com\r\n\r\n") print(s.recv(1024).decode()) s.close()

What is a TLS socket?

 
A TLS socket is a network socket that uses the TLS protocol to establish a secure connection between two endpoints. Just like a TCP socket, a TLS socket provides a connection-oriented, reliable, and sequenced stream of bytes. However, unlike TCP sockets, TLS sockets add an additional layer of encryption and authentication to ensure the confidentiality and integrity of the data being transmitted. Think of a TLS socket as a secure pipe between two endpoints, where data is encrypted and decrypted automatically by the TLS protocol.
 
A TLS socket is essentially a regular network socket (like a TCP socket) that’s wrapped with encryption, so all reads/writes go through TLS.
 
In OpenSSL 3.0 with kTLS:
  • You establish a TLS connection as usual (e.g., via SSL_connect() or SSL_accept()).
  • Then, OpenSSL can hand off the encryption context to the kernel, if the system supports kTLS.
  • At that point, the OpenSSL SSL_write()/SSL_read() calls are thin wrappers around regular send()/recv(), because the kernel is handling encryption.
 

Kernel TLS and TLS Sockets

 
When Kernel TLS is enabled, an application using OpenSSL can create a special TLS socket that leverages the kernel's TLS capabilities. This means that the kernel handles TLS operations, such as encryption, decryption, and authentication, for the socket.
 
Here's a high-level overview of how it works:
  • The application creates a TLS socket using OpenSSL.
  • The kernel allocates resources for the TLS socket and sets up the necessary cryptographic context.
  • When the application sends data over the TLS socket, the kernel encrypts the data and transmits it over the network.
  • When the application receives data over the TLS socket, the kernel decrypts the data and delivers it to the application.
  • By offloading TLS operations to the kernel, applications can benefit from improved performance, reduced latency, and increased system efficiency.
 

Benefits of Kernel TLS

The benefits of Kernel TLS include:
  • Improved performance: Reduced overhead of context switching between user space and kernel space.
  • Increased efficiency: Kernel TLS can handle TLS operations more efficiently than user-space libraries.
  • Better security: Kernel TLS can provide an additional layer of security by reducing the attack surface of user-space libraries.
 

Kernel TLS requirements

  • A recent Linux kernel (≥ 4.13 for send-side; ≥ 5.2 for recv-side).
  • Hardware offload support (optional, but helpful).
  • OpenSSL 3.0+ (to negotiate and enable kTLS).
  • Specific cipher suites (AES-GCM, CHACHA20-POLY1305; limited to TLS 1.2/1.3).