On Fri, 24 Oct 2025 12:11:11 +1000 Wilfred Mallawa wrote:
In the previous record_size_limit approach for TLS 1.3, we need to account for the ContentType byte. Which complicates get/setsockopt() and tls_get_info(), where in setsockopt() for TLS 1.3 we need to subtract 1 to the user provided value and in getsockopt() we need add 1 to keep the symmetry between the two (similarly in tls_get_info()). The underlying assumption was that userspace passes up directly what the endpoint specified as the record_size_limit.
With this approach we don't need to worry about it and we can pass the responsibility to user-space as documented, which I think makes the kernel code simpler.
But we haven't managed to avoid that completely:
+ if (value < TLS_MIN_RECORD_SIZE_LIM - (tls_13 ? 1 : 0) ||
I understand the motivation, the kernel code is indeed simpler.
Last night I read the RFC and then this patch, and it took me like 10min to get all of it straight in my head. Maybe I was tried but I feel like the user space developers will judge us harshly for the current uAPI.