quand je parlais de différence entre http/1 et http/2 en téléchargement c'est plus quand on attend les limites des cpu (dans la plupart des implémentations http/2 demande plus de cpu que http/1, hors opti style sendfile + ktls).
Bien !!
OSs That Do Not Support kTLS
The following OSs do not support kTLS, for the indicated reason:
Debian 10 and 11 – Kernel is built with the CONFIG_TLS=n option (see the Debian bug report logs).
root@host:~# lsmod | grep tls
tls 114688 0
root@host:~# hostnamectl
Static hostname: host
Icon name: computer-vm
Chassis: vm 🖴
Machine ID: 4dad87426bdc4352bc6fbea1491af9f6
Boot ID: df4707fb3a624080878e2a56a8edc62e
Virtualization: kvm
Operating System: Debian GNU/Linux bookworm/sid
Kernel: Linux 5.17.0-1-cloud-amd64
Architecture: x86-64
Hardware Vendor: OpenStack Foundation
Hardware Model: OpenStack Nova
root@host:~# openssl version
OpenSSL 3.0.0 7 sep 2021 (Library: OpenSSL 3.0.0 7 sep 2021)
root@host:~#
Sur lafibre :
CONNECTED(00000005)
OCSP response: no response sent
depth=0 CN = default.lan
verify error:num=18:self signed certificate
verify return:1
depth=0 CN = default.lan
verify return:1
---
Certificate chain
0 s:/CN=default.lan
i:/CN=default.lan
---
Server certificate
-----BEGIN CERTIFICATE-----
MIICvDCCAaSgAwIBAgIJAPzjny6GPnVyMA0GCSqGSIb3DQEBCwUAMBYxFDASBgNV
BAMMC2RlZmF1bHQubGFuMB4XDTE3MDYyMzA5MDIxMVoXDTI3MDYyMTA5MDIxMVow
FjEUMBIGA1UEAwwLZGVmYXVsdC5sYW4wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
ggEKAoIBAQCV0a0f9BmcOpjK6mUHXRqqMbcjsDE/86Tw8oiG+merTdU7eptWKUtL
+TQzsKbp09ae/x6+rLjLHzbbGrw5HA7OTiyIJZFnubj4GDrWJbfJk78qzvWWopA9
WBb97kj+okzjLZy3aScTTj1AFYfYJD4xO2SSJ2j28ogudagP9KFI3NPOi6kD4+U4
E1Dy85Sb73/pTuntnob7kd/24UJ3vj8JmldcNGOrK7B5wFbihJ+W/slWMwCnMQHh
/EnO6Eh4kpHk1RIf5gVB4FCXA9fC0NFxjZCQ/7AS1JwxH496a6p3DKP7DUH+jwWV
QNtTLzgIf5fUuh6VrfjiNxya8U7p7dG1AgMBAAGjDTALMAkGA1UdEwQCMAAwDQYJ
KoZIhvcNAQELBQADggEBAG7vvK70eJIMe7JS3FNr7CmcUmTLw7Sxlt3Ik1ZUYtYK
eODBO0IiyRI9fX9a1/qQS9RI+RVnquEWbHny0JGEPRINvd2ZBhBmxSZFKbRA9TVx
SS1/CW0kNZJVQqnUAUctVY/3Tqy6tc0vpLfkREZjyWonoLMPMxaf/r8UO34e6oBP
YYHf52272tCx6XnR0sKystFxAJLSVaMXPL3Sgexifmad8LReAolBHFMs+GU1oJvr
7dNpKq7yqJWKUGBIydtOhZNYDYhgnoFCeNxaJ0E4aE6nAuzJx/Zhm7YF4tRAxD4V
tuYeeZX5F9+J262qeu0tHaH0ADILGSmMnwHY3RYHpJA=
-----END CERTIFICATE-----
subject=/CN=default.lan
issuer=/CN=default.lan
---
No client certificate CA names sent
Server Temp Key: ECDH, X25519, 253 bits
---
SSL handshake has read 1178 bytes and written 298 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: 7705BAEB66EC8CE4FF5EFD7E056D1EDAA97E13EF4783098EE8AE3AEBBE0B7873
Session-ID-ctx:
Master-Key: 27129C99EA23F282571ED5316A0EE418FF9AA7336E011AAC3B772CEE2483EE0C0466F3645FC0EEF5AC4DAEF8C031DAA3
Start Time: 1652661436
Timeout : 7200 (sec)
Verify return code: 18 (self signed certificate)
---
Le self-signed: default.lan
C'est construit comment ? cela m'intéresse
Chez moi
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = what else ?
verify return:1
OCSP response:
======================================
OCSP Response Data:
OCSP Response Status: successful (0x0)
Response Type: Basic OCSP Response
Version: 1 (0x0)
Responder Id: C = US, O = Let's Encrypt, CN = R3
Produced At: May 14 21:41:00 2022 GMT
Responses:
Certificate ID:
Hash Algorithm: sha1
Issuer Name Hash: 48DAC9A0FB2BD32D4FF0DE68D2F567B735F9B3C4
Issuer Key Hash: 142EB317B75856CBAE500940E61FAF9D8B14C2C6
Serial Number: 0357E4753CA1A7230193B6FA84726194205A
Cert Status: good
This Update: May 14 21:00:00 2022 GMT
Next Update: May 21 20:59:58 2022 GMT
Signature Algorithm: sha256WithRSAEncryption
87:a0:6f:d0:b9:84:46:a0:0f:c5:29:64:c1:a8:73:1d:af:74:
a9:88:ec:65:96:15:2c:76:1a:04:36:23:75:db:d4:cd:64:42:
18:28:87:d3:74:1a:8b:fb:63:e2:f4:71:94:2c:c1:22:3d:5a:
78:2b:8a:df:2f:d3:77:ef:a7:26:c2:ee:6b:1d:b1:92:53:4f:
be:25:4a:21:71:d3:c3:8d:fe:a5:07:c0:c9:2e:59:28:b3:02:
e3:72:d8:41:40:21:28:c1:bf:44:0e:43:fa:9d:70:80:7d:97:
67:09:b5:66:2c:fb:09:2d:dd:53:3e:74:60:91:99:12:8a:13:
5c:6f:e3:51:30:86:1e:37:2b:d2:4d:0e:92:c7:cb:b3:d5:30:
de:f3:13:91:5a:0c:1d:7a:e0:57:98:96:3d:3c:84:34:55:2d:
52:23:2d:d9:bd:e9:8f:85:0d:a0:13:c2:28:9e:80:68:95:2f:
08:94:77:34:ae:47:81:5a:96:55:4d:6c:f4:0f:1d:09:33:6a:
87:d2:94:f5:83:34:00:22:79:dd:b6:09:73:a0:28:da:ff:13:
62:89:08:37:7d:2e:9a:02:a1:61:cb:63:f0:cf:72:a2:4e:b9:
79:44:69:75:21:76:a9:1b:dd:8c:03:d2:ba:cb:02:02:14:95:
92:1e:8c:f3
======================================
---
Certificate chain
0 s:/CN=what else ?
i:/C=US/O=Let's Encrypt/CN=R3
1 s:/C=US/O=Let's Encrypt/CN=R3
i:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
2 s:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
i:/O=Digital Signature Trust Co./CN=DST Root CA X3
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFJjCCBA6gAwIBAgISA1fkdTyhpyMBk7b6hHJhlCBaMA0GCSqGSIb3DQEBCwUA
MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
EwJSMzAeFw0yMjA1MDkyMDQxNDdaFw0yMjA4MDcyMDQxNDZaMBwxGjAYBgNVBAMT
EXd3dy5hbHZhcmluaG8udmluMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
AQEAtqSUC1vuOXWNjgRepKO4xhtUDuOmmHsITzvtVMSYPue/aSk4G1wNxJmoGusy
l7lIaZ5TxJXfQYZIfuQNPQPikPvRfgSrlkvjz1HTTIivdnEwyYtXjzSSoeTNd7Zp
KNu/XcMIaePGtYJszV9PP3RnzsLwMv9IfhMwrieqYwBfYe0uqujzizypCVNavhj6
Gk3YAvXTmubr1q/Dm8V97IQ1KedU34tQIbJuCkum9LaCGchQ/79/xifWz2aXRBdK
8yrMRf/JQs6GuEqygnkT02mRCiZDbQkJfHv02t+5WM648ZkiNItAgcWFzh7feDLp
Rnt5H7+J3tOz78akNANRJuXcBwIDAQABo4ICSjCCAkYwDgYDVR0PAQH/BAQDAgWg
MB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0G
A1UdDgQWBBQR0idLa7sardtLDIM7RVNVDODgjDAfBgNVHSMEGDAWgBQULrMXt1hW
y65QCUDmH6+dixTCxjBVBggrBgEFBQcBAQRJMEcwIQYIKwYBBQUHMAGGFWh0dHA6
Ly9yMy5vLmxlbmNyLm9yZzAiBggrBgEFBQcwAoYWaHR0cDovL3IzLmkubGVuY3Iu
b3JnLzAcBgNVHREEFTATghF3d3cuYWx2YXJpbmhvLnZpbjBMBgNVHSAERTBDMAgG
BmeBDAECATA3BgsrBgEEAYLfEwEBATAoMCYGCCsGAQUFBwIBFhpodHRwOi8vY3Bz
LmxldHNlbmNyeXB0Lm9yZzCCAQIGCisGAQQB1nkCBAIEgfMEgfAA7gB1AN+lXqto
gk8fbK3uuF9OPlrqzaISpGpejjsSwCBEXCpzAAABgKrFbogAAAQDAEYwRAIgE2FA
itQkkA5CMMnyO3Yiqmw6pp77eNjaO5SdlIJqZrUCIH1ug6bcPbFpb4bKnFE1Qgx7
1xxYJDruvofwFTn7I8oFAHUARqVV63X6kSAwtaKJafTzfREsQXS+/Um4havy/HD+
bUcAAAGAqsVurwAABAMARjBEAiA7SRv+xQ5PF3px28r0Ym3deKc8FMQ2d1CU5eca
IBlp5AIgXJCG/kiltVPeIs8X0mcaGivhau1G0Bz3AhLHJYvMfg8wDQYJKoZIhvcN
AQELBQADggEBAKsSzNPgFytWMH+AFLT7Xi8iXHODgUzuR1k9SM4GXksZaxZMrAIR
ruJQolNXSnF/1L3vOHzV/uRI8YPSMibhe3StEX4I25hY7/3wU0MOn5WpE66ISnJq
BfIk7y5L6QUuov8KiA3WCXRmXPq0du9P085M6llhuxw/lV7nkyRRklmRz7p2OVKx
A6W9j0YNXeLWGIblzmPanS6uPXqmXnpNXX2ehjbGerZF03oydMXz+7hkVQPe6HcP
6PvGeY0A34qbguuKUOYYFI5pdfwJeDaBDqSy4UjAZuyEV6JRhGb4GCOVxoCzTPEM
vx8kiwrzbY1a7124IljlO8GSQWI9PtTrGcc=
-----END CERTIFICATE-----
subject=/CN=what else ?
issuer=/C=US/O=Let's Encrypt/CN=R3
---
No client certificate CA names sent
Server Temp Key: ECDH, X25519, 253 bits
---
SSL handshake has read 5008 bytes and written 298 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: C87AF0ABD7A8CA8BD38B61D8EEFA10BEA8F1F340891F1AF5EBCF48C169DDE507
Session-ID-ctx:
Master-Key: AFBED0F7AA6BD049155568ACC5741F2A1BF922A3A0D7B0C6A854DC93EE9232AEFF059996A1F0B27CDD4F306CF7F0581C
Start Time: 1652661837
Timeout : 7200 (sec)
Verify return code: 0 (ok)
---
Hormis "OCSP response" cela répond en 1.2 pour l'instant.
Il a pas aimé :
C0A291EA827F0000:error:8000006F:system library:BIO_connect:Connection refused:crypto/bio/bio_sock2.c:125:calling connect()
C0A291EA827F0000:error:10000067:BIO routines:BIO_connect:connect error:crypto/bio/bio_sock2.c:127:
C0A291EA827F0000:error:8000006F:system library:BIO_connect:Connection refused:crypto/bio/bio_sock2.c:125:calling connect()
C0A291EA827F0000:error:10000067:BIO routines:BIO_connect:connect error:crypto/bio/bio_sock2.c:127:
connect:errno=111
Basculé. Encore quelques optimisations à faire.
CONNECTED(00000003)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = what else ?
verify return:1
OCSP response:
======================================
OCSP Response Data:
OCSP Response Status: successful (0x0)
Response Type: Basic OCSP Response
Version: 1 (0x0)
Responder Id: C = US, O = Let's Encrypt, CN = R3
Produced At: May 15 21:52:00 2022 GMT
Responses:
Certificate ID:
Hash Algorithm: sha1
Issuer Name Hash: 48DAC9A0FB2BD32D4FF0DE68D2F567B735F9B3C4
Issuer Key Hash: 142EB317B75856CBAE500940E61FAF9D8B14C2C6
Serial Number: 04A59998F20E2B9C3C2E517C0D374C9FA36C
Cert Status: good
This Update: May 15 21:00:00 2022 GMT
Next Update: May 22 20:59:58 2022 GMT
Signature Algorithm: sha256WithRSAEncryption
Signature Value:
37:77:1c:27:b1:7e:f8:9c:5a:c5:ad:80:2a:4c:04:d5:ec:34:
dd:65:75:71:fd:5f:88:a8:e6:22:ce:c9:d5:a9:9c:69:06:28:
b4:c6:d7:15:bc:2c:cd:b4:64:df:8a:c3:d1:a7:24:dc:1d:d4:
29:f4:8e:e5:7b:15:40:7c:f9:9e:9c:50:96:88:0e:7c:be:57:
30:9e:5b:ce:c2:c1:d1:c8:fe:85:78:6d:ed:e7:4e:53:9f:17:
7a:1e:cc:71:29:1c:95:43:81:f8:2c:86:5b:eb:63:ed:bd:78:
f5:e0:1c:f8:41:f2:f1:9e:bf:bd:bc:7f:7b:b7:b0:e6:a2:27:
78:29:f7:a8:bc:44:c9:97:f0:2e:f8:f2:b9:c6:3f:87:41:49:
a9:e0:4a:4a:0e:4e:cb:d0:5b:70:a6:48:21:8f:2a:69:36:5d:
78:90:ff:24:34:7e:82:c1:79:84:3c:a7:6a:89:cc:98:da:1e:
38:51:92:27:73:28:f3:8f:f9:d8:35:e2:92:aa:a3:8d:0a:b9:
7b:95:15:9f:14:c1:a4:d7:5a:cb:54:42:8b:e5:e2:5e:e2:ba:
e9:93:b1:33:c3:d4:81:bd:7c:36:f3:f0:fa:42:bc:36:ad:37:
05:89:d6:ff:cc:1f:b4:a7:61:93:31:a4:ab:15:32:e1:6e:ec:
25:e6:5e:81
======================================
---
Certificate chain
0 s:CN = what else ?
i:C = US, O = Let's Encrypt, CN = R3
a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
v:NotBefore: May 15 20:52:46 2022 GMT; NotAfter: Aug 13 20:52:45 2022 GMT
1 s:C = US, O = Let's Encrypt, CN = R3
i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
v:NotBefore: Sep 4 00:00:00 2020 GMT; NotAfter: Sep 15 16:00:00 2025 GMT
2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1
i:O = Digital Signature Trust Co., CN = DST Root CA X3
a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA256
v:NotBefore: Jan 20 19:14:03 2021 GMT; NotAfter: Sep 30 18:14:03 2024 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFIjCCBAqgAwIBAgISBKWZmPIOK5w8LlF8DTdMn6NsMA0GCSqGSIb3DQEBCwUA
MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
EwJSMzAeFw0yMjA1MTUyMDUyNDZaFw0yMjA4MTMyMDUyNDVaMBkxFzAVBgNVBAMT
Dnd3dy5tYXJxdWVzLmJ6MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
zDbu6zRF6LAovmRp2sEwNfAQzznQ7jGcQ27twbgPd/Vp77we2yrXldDgJOeBFUaJ
pLNjr9pnle8f2MjdP44KqK+c12tad6Rl2AMHIb/B5r/iGoZnxggZc/CrJU/s/p9G
zIf+p6tJABVIzi6lUptzpSdAjuVn4JKX9ZR6gv0lLDuhRcS9KtVVuHeHRxlsXq8o
2iSgrUYlTYJjptqbb/xoxXo6EwpipI7HMp+2f2PHiJE2wh25wSK87yvYDaoax+4E
cesM63la/4/lurh9JjaD8S/CuvnJCDUMk/VJRsIIE+4NebWR5bLvIOvoGOV/weAi
HZR3oqYFniIfyGpQojV7cQIDAQABo4ICSTCCAkUwDgYDVR0PAQH/BAQDAgWgMB0G
A1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0GA1Ud
DgQWBBQc3dITXyXB566n6U1sLaP5qItwKTAfBgNVHSMEGDAWgBQULrMXt1hWy65Q
CUDmH6+dixTCxjBVBggrBgEFBQcBAQRJMEcwIQYIKwYBBQUHMAGGFWh0dHA6Ly9y
My5vLmxlbmNyLm9yZzAiBggrBgEFBQcwAoYWaHR0cDovL3IzLmkubGVuY3Iub3Jn
LzAZBgNVHREEEjAQgg53d3cubWFycXVlcy5iejBMBgNVHSAERTBDMAgGBmeBDAEC
ATA3BgsrBgEEAYLfEwEBATAoMCYGCCsGAQUFBwIBFhpodHRwOi8vY3BzLmxldHNl
bmNyeXB0Lm9yZzCCAQQGCisGAQQB1nkCBAIEgfUEgfIA8AB1ACl5vvCeOTkh8FZz
n2Old+W+V32cYAr4+U1dJlwlXceEAAABgMm1qCQAAAQDAEYwRAIgTpTqwI4oz01R
UEQ2H9KaNm9YMqafLvw3eZg6JkvzZ3QCIHazCVCFZcbU+aBJOHuVylTvnitJwiL7
5ZvYo+RZjICfAHcA36Veq2iCTx9sre64X04+WurNohKkal6OOxLAIERcKnMAAAGA
ybWqGQAABAMASDBGAiEAoad8H9JVysPtgvboX6QOyNLxN/O62LyNvIBv5blilMsC
IQDSFBu5ziWm2m45sW04TPFSq30MuLIxWakuEXnJAwtrBzANBgkqhkiG9w0BAQsF
AAOCAQEAuGgR+HO05LKLqIKLPEubQ4uZOxfWOhQwNrkM09KYi9UKjKmrd2sKCQcD
d+PoldpOS3Q2a/j8JpxrriVyISH1zgDtqqQuOVxlLDJNprhgWMoZQPHPkA3pDKQt
soVIcq3hTC5dlBWRue8qZYJqndoijzCbwPXt5g7SS2wn7rbeBwL5A2OJH8RMxzVX
HveCIVfV0ohwJAJ8kobBfp5Dn29oDJIYwfP5RXZoDPRMNxdrRq8KqgpdjPmNfi1a
qSGBc8WDOy9/IczbAjouWSrytwx5/tGbcsYmalWRegtOiM41zk0/4CszblI3VHmv
UlTzmXbo209sM/aU9Q8wrGYXc1niEw==
-----END CERTIFICATE-----
subject=CN = what else ?
issuer=C = US, O = Let's Encrypt, CN = R3
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 5085 bytes and written 337 bytes
Verification error: unable to get local issuer certificate
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 20 (unable to get local issuer certificate)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384
Session-ID: FD427BE368B8D9BF7F3DB632A39F8BF8804B6E3FD05D013E328583A586583A76
Session-ID-ctx:
Resumption PSK: EAEED6872E405A880A833AB5E201830007DEA22E79055E014F7E494E6E2A472900F5E8595AE1DF01124F53BAE2972421
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - a5 37 e1 ab 0c 95 ba 5b-10 bf ba 63 2a 7d 6d 40 .7.....[...c*}m@
0010 - db 19 ca a7 42 10 68 1a-2a 81 c4 85 07 a1 1b e4 ....B.h.*.......
Start Time: 1652667916
Timeout : 7200 (sec)
Verify return code: 20 (unable to get local issuer certificate)
Extended master secret: no
Max Early Data: 0
---
read R BLOCK
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384
Session-ID: 13CFF7F597393AFFF8575350F49F046B1ECA5FCDC7F6163AD5B1CE4874DB46D8
Session-ID-ctx:
Resumption PSK: 483B7189865398E574C6287BB8A530DDB0ABEE295926EA197CB5CCD0843BF477E3FA9CFB3594A191F129DBD5AFCF5F4F
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - fc 51 c8 dd e2 61 87 12-27 b5 d6 60 23 20 63 76 .Q...a..'..`# cv
0010 - ad 88 7c a8 d6 46 31 85-e3 b3 c8 86 44 41 a5 b4 ..|..F1.....DA..
Start Time: 1652667916
Timeout : 7200 (sec)
Verify return code: 20 (unable to get local issuer certificate)
Extended master secret: no
Max Early Data: 0
---
read R BLOCK