Kernel TLS offload for Elixir

ausimian · December 27, 2025, 2:31am

I was curious whether it would be possible to use kernel TLS offload from Elixir. I have a preference for the non-blocking socket programming model over :gen_tcp (probably due to the brain damage I incurred by writing many C-based socket programs over the years) but there’s no equivalent support for TLS out of the box.

Just for fun, I put this little proof-of-concept together, showing how to do it (limited to TLS1.3) My takeaways are:

It can be done this way
It probably shouldn’t be done this way (there’s a few ‘naughty’ things it does to reach the end goal)

It would be neat if OTP offered this out of the box (although it would only work on Linux and maybe FreeBSD) and the programming model would still look like :sslI expect but just noop-ing the encryption/decryption in userspace, so it was transparent to the user.

Schultzer · December 27, 2025, 3:09am

Interesting, am I understanding this correctly that the “new” socket is still under TLS but can use the socket API instead of the SSL API.

ausimian · December 27, 2025, 3:45am

Yeah, precisely.

Schultzer · December 27, 2025, 3:56am

Have you done some benchmark on this, obviously TLS brings some overhead, but I wonder what the diff is of the SSL vs Socket APIs

ausimian · December 27, 2025, 4:08am

Absolutely none at all! Performance wasn’t my motivation for this - just wanted to see if it even worked.

Schultzer · December 27, 2025, 4:15am

Would be interesting to see, also would be even nicer if we could do this straight forward and use socket API, which is easier to work with.