.\" .\" Copyright (c) 2024 Gleb Smirnoff .\" .\" Redistribution and use in source and binary forms, with or without .\" modification, are permitted provided that the following conditions .\" are met: .\" 1. Redistributions of source code must retain the above copyright .\" notice, this list of conditions and the following disclaimer. .\" 2. Redistributions in binary form must reproduce the above copyright .\" notice, this list of conditions and the following disclaimer in the .\" documentation and/or other materials provided with the distribution. .\" .\" THIS SOFTWARE IS PROVIDED BY THE DEVELOPERS ``AS IS'' AND ANY EXPRESS OR .\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES .\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. .\" IN NO EVENT SHALL THE DEVELOPERS BE LIABLE FOR ANY DIRECT, INDIRECT, .\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT .\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, .\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY .\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" " .Dd April 24, 2024 .Dt ACCF_TLS 9 .Os .Sh NAME .Nm accf_tls .Nd "buffer incoming connections until a TLS handshake like request arrives" .Sh SYNOPSIS .Nm options INET .Nm options ACCEPT_FILTER_TLS .Nm kldload accf_tls .Sh DESCRIPTION This is a filter to be placed on a socket that will be using .Fn accept 2 to receive incoming HTTPS connections. It prevents the application from receiving the connected descriptor via .Fn accept 2 until a full TLS handshake has been buffered by the kernel. The .Nm will first check that byte at offset 0 is .Va 0x16 , which matches handshake type. Then it will read 2-byte request length value at offset 3 and will continue reading until reading the entire length of the handshake is buffered. If something other than .Va 0x16 is at offset 0, the kernel will allow the application to receive the connection descriptor via .Fn accept 2 . .Pp The utility of .Nm is such that a server will not have to context switch several times before performing the initial parsing of the request. This effectively reduces the amount of required CPU utilization to handle incoming requests by keeping active processes in preforking servers such as Apache low and reducing the size of the file descriptor set that needs to be managed by interfaces such as .Fn select , .Fn poll or .Fn kevent based servers. .Sh EXAMPLES Assuming ACCEPT_FILTER_TLS has been included in the kernel config file or the .Nm module has been loaded, this will enable the TLS accept filter on the socket .Fa sok . .Bd -literal -offset 0i struct accept_filter_arg afa; bzero(&afa, sizeof(afa)); strcpy(afa.af_name, "tlsready"); setsockopt(sok, SOL_SOCKET, SO_ACCEPTFILTER, &afa, sizeof(afa)); .Ed .Sh SEE ALSO .Xr setsockopt 2 , .Xr accept_filter 9 .Sh HISTORY The .Nm accept filter was introduced in .Fx 15.0 . .Sh AUTHORS The .Nm filter was written by .An Maksim Yevmenkin .