Less known Solaris Features: kssl
There is an interesting feature in Solaris. It is called kssl. One component of this feature is obvious: SSL. So it has something to do with SSL encryption. As you may have already guessed, the
k at the beginning stands for kernel. And kssl is exactly this: A proxy to do all the encryption stuff in a kernel module.
This feature is already four years old. I´ve reported about kssl back in December 2005 for the first time. After talking with a customer two days ago and looking at some new material about it, i thought it could not harm to write a new tutorial about this topic. So much appearances in such a small timeframe are a hint ;) .
The reasons for SSL in the kernel
There are several good reasons to to encryption in the kernel.
- The kssl proxy uses the Solaris Cryptographic Framework. Even when the application doesn´t support cryptographic libraries with PKCS#11 support, you can use the advantages of the framework like the seamless integration of hardware cryptography
- The application server just see unencrypted traffic. The complete handshake is done in the kernel-space. It´s done asynchronously and the application isn´t involved in this task.
- You don´t have to wake up the webserver for the SSL handshake to process all the messages nescessary for SSL.
- By offloading SSL into this kernel module you can yield a much better performance. Krishna Yenduri states in a presentation:
SPECweb05 banking is the main benchmark. Performance gain of more than 20% compared to a user land SSL web server. SPECweb99 _SSL showed gains of more than 35%</ul>
ConfigurationThe configuration of an SSL proxy is really easy. At first you need a certifcate and the key. For this experiment we will use a self-signed certificate. I´ve called the system
a380, thus i have to use this name in my certificate. Use the name of your own system in your configuration. Furthermore the kssl system expect key and certificate in a single file. We concatenate both files afterwards:
Now we configure the kssl proxy:
At first we create a file to automatically answer the passphrase question. Afterwards we configure the kssl service. This configuration statement tells the system to get the keys and from a pem file. The
-ioption specifies the location of the file.
-ptells the service where it finds the passphrase file. At the end you find
a380 443. This specifies on which interface and on which port the ssl should listen. At last the
-x 8080specifies to what port the the unencrypted traffic should be redirected. After configuring this service, you should see a new service managed by SMF:
Obviously we need a webserver in the backend that listens to port 8080. I assume, that you've already installed an Apache on your server. We just add a single line to the configuration file of the webserver.
When you put
https://a380:443in your browser, you should see an encrypted "It works" page after you dismissed the dialog warning you of the self-signed certificate. Or to show it to you on the command line:
Voila, web server encrypted without a single line of SSL configuration in the webserver config files itself.
ConclusionIt´s really easy to add an kssl proxy in front of your webserver. So it isn't difficult to make encrypted webserving more efficient.
Do you want to learn more?man pages
CZOSUG: KSSL - Solaris Kernel SSL proxy - presentation about KSSL.
KSSL – A Kernel Level SSL Server Proxy - a deep dive presentation about KSSL.