On Tue, 2025-10-21 at 12:35 +0100, Simon Horman wrote:
On Tue, Oct 21, 2025 at 07:29:17PM +1000, Wilfred Mallawa wrote:
...
diff --git a/Documentation/networking/tls.rst b/Documentation/networking/tls.rst index 36cc7afc2527..ecaa7631ec46 100644 --- a/Documentation/networking/tls.rst +++ b/Documentation/networking/tls.rst @@ -280,6 +280,28 @@ If the record decrypted turns out to had been padded or is not a data record it will be decrypted again into a kernel buffer without zero copy. Such events are counted in the ``TlsDecryptRetry`` statistic. +TLS_TX_MAX_PAYLOAD_LEN +~~~~~~~~~~~~~~~~~~~~~~
+Specifies the maximum size of the plaintext payload for transmitted TLS records.
+When this option is set, the kernel enforces the specified limit on all outgoing +TLS records. No plaintext fragment will exceed this size. This option can be used +to implement the TLS Record Size Limit extension [1].
- For TLS 1.2, the value corresponds directly to the
record size limit.
Hi Wilfred,
Unfortunately make htmldocs seems unhappy with the line above.
.../tls.rst:291: ERROR: Unexpected indentation. [docutils]
This was with Sphinx 8.1.3.
Hey Simon,
Ah I didn't realise this wasn't allowed, will fixup and test with make htmldocs.
Thanks! Wilfred
- For TLS 1.3, the value should be set to
record_size_limit - 1, since
- the record size limit includes one additional byte for
the ContentType
- field.
+The valid range for this option is 64 to 16384 bytes for TLS 1.2, and 63 to +16384 bytes for TLS 1.3. The lower minimum for TLS 1.3 accounts for the +extra byte used by the ContentType field.
+For TLS 1.3, getsockopt() will return the total plaintext fragment length, +inclusive of the ContentType field.
+[1] https://datatracker.ietf.org/doc/html/rfc8449
Statistics ==========
...