Oracle Linux 9 provides kernel Transport Layer Security (KTLS) as a technology preview.

The Linux Kernel TLS (KTLS) handles TLS records for the AES-GCM cipher. KTLS also provides the interface for offloading TLS record encryption to NICs that support this functionality.

OpenSSL 3.0 is able to use KTLS if the enable-ktls configuration option is used during compiling.

The updated gnutls packages can use KTLS for accelerating data transfer on encrypted channels. To enable KTLS, add the tls.ko kernel module using the modprobe command, and create a new configuration file /etc/crypto-policies/local.d/gnutls-ktls.txt for the system-wide cryptographic policies with the following content:

[global]
ktls = true

Note that gnutls doesn't permit you to update traffic keys through TLS KeyUpdate messages, which impacts the security of AES-GCM ciphersuites.

OpenSSL clients can use the QUIC transport layer network protocol as a technical preview.

Although available, the io_uring asynchronous I/O interface is disabled by default. To enable the feature, set the kernel.io_uring_disabled variable to any one of the following values when running the sysctl command:

• 0: All processes can create io_uring instances as usual.

• 1: Creating io_uring is disabled for unprivileged processes. With this setting, the io_uring_setup fails with the -EPERM error. It only successfully completes if the calling process is privileged by the CAP_SYS_ADMIN capability. However, existing io_uring instances can still be used.

• 2 (default): Creating io_uring creation is disabled for all processes. With this setting, the io_uring_setup always fails with -EPERM. However, existing io_uring instances can still be used.

To use this feature, an updated version of the SELinux policy to enable the mmap system call on anonymous inodes is also required.

Note that io_uring support has been available in UEK from UEK R6U3.