adOpenStatic Logo
Ken's Blog
Contact Ken
Copyright 2000 -

Enabling Kernel Mode SSL in Windows 2003 Server SP1
Windows 2003 Server with Service Pack 1 includes a new feature enabling certain SSL functions to be performed in kernel-mode rather than in user-mode. This can provide a large performance increase, in the order of approximately 20%. Kernel Mode SSL is enabled by setting a registry key, however the current implementation does have some drawbacks, so careful evaluation is required before enabling this functionality.

When kernel mode SSL is not enabled (e.g. prior to SP1), SSL requests into IIS follow the path in Figure 1. An incoming request is offloaded from http.sys to a user mode HTTP SSL component (2), which then passes the request into LSASS (Local Security Authority Subsystem Service)(3), which decrypts the request. The request is then passed back to the user mode HTTP SSL Component (4) and then to http.sys in kernel mode (5). Http.sys then passes the request up to httpapi.dll in user mode (6) , which then passes the request, finally to IIS 6.0.

IIS SSL Handling - non kernel mode
Figure 1: non kernel mode SSL

When the response needs to be sent back to the browser, the entire process is reversed. So, the response is passed down into kernel mode, then back into user mode (to LSASS where the response is encrypted), and then back into kernel mode (http.sys) to be sent back to the client.

Compare this to how SSL is handled when kernel mode SSL is enabled. Here, only the initial SSL handshake between client and server (including the setup of the symmetric keys) involves a trip across to LSASS. Subsequent request and response decryption and encryption is handled in kernel mode by ksecdd.sys (Figure 2).

IIS SSL Handling - kernel mode
Figure 2: kernel mode SSL

Enabling kernel mode SSL requires setting the following registry key: EnableKernelSSL (type DWORD) at the path HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HTTP\Parameters. Options are 0 (user mode SSL - this is the default) and 1 (kernel mode SSL). After setting this value, you will need to restart the http.sys service.

However, using kernel mode SSL does have a number of drawbacks, in that certain features are not available. These are:

  • Support for client certificates
  • Support for RC2 ciphers
  • Support for PCT (Private Communications Technology) 1.0

Because of the lack of support for these features (particularly client certificates), careful evaluation needs to be undertaken in your environment to determine whether kernel mode SSL will enable your users to continue using your exposed functionality. However, if it is a good fit, you will see a performance improvement with respect to SSL encryption/decryption after enabling this setting.

Back to FAQ Listing