Enabling Kernel Mode SSL in Windows 2003 Server SP1
Windows 2003 Server with Service Pack 1 includes a new feature enabling certain SSL functions to be performed in
kernel-mode rather than in user-mode. This can provide a large performance increase, in the order of
approximately 20%. Kernel Mode SSL is enabled by setting a registry key, however the current implementation
does have some drawbacks, so careful evaluation is required before enabling this functionality.
When kernel mode SSL is not enabled (e.g. prior to SP1), SSL requests into IIS follow the path in Figure 1.
An incoming request is offloaded from http.sys to a user mode HTTP SSL component (2), which then passes the
request into LSASS (Local Security Authority Subsystem Service)(3), which decrypts the request. The request
is then passed back to the user mode HTTP SSL Component (4) and then to http.sys in kernel mode (5). Http.sys
then passes the request up to httpapi.dll in user mode (6) , which then passes the request, finally to IIS 6.0.
Figure 1: non kernel mode SSL
When the response needs to be sent back to the browser, the entire process is reversed. So, the response is
passed down into kernel mode, then back into user mode (to LSASS where the response is encrypted), and then
back into kernel mode (http.sys) to be sent back to the client.
Compare this to how SSL is handled when kernel mode SSL is enabled. Here, only the initial SSL handshake between
client and server (including the setup of the symmetric keys) involves a trip across to LSASS.
Subsequent request and response decryption and encryption is handled in kernel mode by ksecdd.sys (Figure 2).
Figure 2: kernel mode SSL
Enabling kernel mode SSL requires setting the following registry key: EnableKernelSSL (type DWORD) at the path
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HTTP\Parameters. Options are 0 (user mode SSL -
this is the default) and 1 (kernel mode SSL). After setting this value, you will need to restart the http.sys
However, using kernel mode SSL does have a number of drawbacks, in that certain features are not available.
- Support for client certificates
- Support for RC2 ciphers
- Support for PCT (Private Communications Technology) 1.0
Because of the lack of support for these features (particularly client certificates), careful evaluation
needs to be undertaken in your environment to determine whether kernel mode SSL will enable your users
to continue using your exposed functionality. However, if it is a good fit, you will see a performance
improvement with respect to SSL encryption/decryption after enabling this setting.
Back to FAQ Listing