X-Git-Url: https://git.sesse.net/?p=cubemap;a=blobdiff_plain;f=README;h=0712cbd50262ca958d2da3498ea03d97ce153a66;hp=056f705b80cc4d9f481c18e273c4284af3dc46ec;hb=8bbec2e3d29552e4d65b504beebc51819d53792f;hpb=42d66e298039bcf557e4d01329e790d099ca9f62

diff --git a/README b/README
index 056f705..0712cbd 100644
--- a/README
+++ b/README
@@ -5,8 +5,7 @@ A short list of features:
 
  - High-performance, through a design with multiple worker threads,
    epoll and sendfile (yes, sendfile); a 2GHz quadcore can saturate
-   10 gigabit Ethernet, given a modern kernel, a modern NIC
-   and the right kernel tuning.
+   10 gigabit Ethernet (even with TLS) given a modern kernel.
  - High-availability. You can change any part of the configuration
    (and even upgrade to a newer version of Cubemap) by changing cubemap.config
    and sending a SIGHUP; all clients will continue as if nothing had happened
@@ -18,12 +17,15 @@ A short list of features:
    has problems reflecting itself (in particular, FLV).
  - Multicast support, both for sending and receiving (supports only protocols
    that can go over UDP, e.g. MPEG-TS). Supports both ASM and SSM.
+ - TLS output support, through the TLSe library (requires libtomcrypt)
+   and the Linux kernel's kTLS (Linux 4.13 or newer). There are a few
+   limitations; see below.
  - IPv4 support. Yes, Cubemap even supports (some) legacy protocols.
 
 
 HOWTO:
 
-  sudo aptitude install libprotobuf-dev protobuf-compiler libsystemd-dev
+  sudo apt install libprotobuf-dev protobuf-compiler libsystemd-dev libtomcrypt-dev
   ./configure
   make -j4
 
@@ -46,6 +48,21 @@ are OK, and then exec() the new version, which deserializes everything and
 keeps going.
 
 
+Notes on TLS support:
+
+Cubemap supports TLS on output, so that you can play video on TLS
+web sites without issues with mixed content. TLS on input streams is
+not (yet) supported.
+
+TLS requires kTLS, ie., Linux >= 4.13 with CONFIG_TLS enabled. Only cipher
+suites supported by kTLS is supposed, ie., AES-128-GCM (if no such cipher
+suite is available, the connection will be aborted). If the server is restarted
+before the key exchange for a connection is completed, that connection will
+not survive the restart, unlike all other connections. (This is a TLSe
+limitation.) You can have different certificates on different ports (and
+have separate ports for TLS and non-TLS), but SNI is not yet supported.
+
+
 Munin plugins:
 
 To activate these, symlink them into /etc/munin/plugins. If you don't put
@@ -64,3 +81,5 @@ Legalese:
 
 Copyright 2013 Steinar H. Gunderson <steinar+cubemap@gunderson.no>.
 Licensed under the GNU GPL, version 2. See the included COPYING file.
+
+See tlse/LICENSE for TLSe licensing.