https://github.com/compio-rs/compio-ktls
Kernel TLS (kTLS) support for Compio
https://github.com/compio-rs/compio-ktls
async compio ktls tls
Last synced: about 2 months ago
JSON representation
Kernel TLS (kTLS) support for Compio
- Host: GitHub
- URL: https://github.com/compio-rs/compio-ktls
- Owner: compio-rs
- License: apache-2.0
- Created: 2026-03-21T16:07:36.000Z (3 months ago)
- Default Branch: main
- Last Pushed: 2026-04-26T20:19:58.000Z (about 2 months ago)
- Last Synced: 2026-04-26T20:26:33.141Z (about 2 months ago)
- Topics: async, compio, ktls, tls
- Language: Rust
- Homepage:
- Size: 132 KB
- Stars: 5
- Watchers: 0
- Forks: 0
- Open Issues: 1
-
Metadata Files:
- Readme: README.md
- Contributing: CONTRIBUTING.md
- License: LICENSE.Apache-2.0
Awesome Lists containing this project
README
# compio-ktls
Kernel TLS (kTLS) support for [Compio](https://github.com/compio-rs/compio).
[](README.zh.md)
[](https://github.com/compio-rs/compio-ktls/actions/workflows/ci.yml)
[](https://www.apache.org/licenses/LICENSE-2.0)
[](https://license.coscl.org.cn/MulanPSL2/)
## Overview
- Built on top of [ktls-core](https://github.com/hanyu-dev/ktls)
- Not tied to any specific Compio runtime implementation
- Pluggable TLS implementations (currently supports Rustls)
- Currently supports TLS 1.3 only
- Supports NewSessionTicket, KeyUpdate, and Alert message handling
- Supports splitting `KtlsStream` into read/write halves for concurrent I/O
## Features
- `rustls` (default): Enable Rustls integration
- `ring`: Use ring as the crypto backend
- `sync`: Use thread-safe locks for the split read/write halves. By default, single-threaded
(unsync) locks are used. Enable this feature if you need to use the split halves across
threads.
## Usage
```rust
use compio_ktls::{KtlsConnector, KtlsAcceptor};
// Client side
let connector = KtlsConnector::from(client_config);
match connector.connect("example.com", tcp_stream).await? {
Ok(stream) => {
// kTLS enabled successfully
}
Err(stream) => {
// kTLS unavailable, fallback to original stream
}
}
// Server side
let acceptor = KtlsAcceptor::from(server_config);
match acceptor.accept(tcp_stream).await? {
Ok(stream) => {
// kTLS enabled successfully
}
Err(stream) => {
// kTLS unavailable, fallback to original stream
}
}
```
You can split a `KtlsStream` into independent read and write halves for concurrent I/O:
```rust
use compio::io::util::Splittable;
let (mut reader, mut writer) = stream.split();
// Now reader and writer can be used concurrently
```
## Requirements
Requires Linux kernel with kTLS support, version 6.6 LTS or newer is recommended.
Check if the kTLS module is loaded:
```bash
lsmod | grep tls
```
If not loaded, you can manually load it:
```bash
sudo modprobe tls
```
Also requires Rustls with `enable_secret_extraction` enabled:
```rust
use std::sync::Arc;
use rustls::ClientConfig;
let mut config = ClientConfig::builder()
.dangerous()
.with_custom_certificate_verifier(/* ... */)
.with_no_client_auth();
config.enable_secret_extraction = true;
let config = Arc::new(config);
```
## License
Licensed under either of:
- Apache License, Version 2.0
- Mulan Permissive Software License, Version 2
`SPDX-License-Identifier: Apache-2.0 OR MulanPSL-2.0`