xref: /freebsd/share/man/man9/accf_tls.9 (revision e5a54f19be8e0e4e700aaf46ab70d42d3ffba469) 
1c68eed82SGleb Smirnoff.\"
2c68eed82SGleb Smirnoff.\" Copyright (c) 2024 Gleb Smirnoff <glebius@FreeBSD.org>
3c68eed82SGleb Smirnoff.\"
4c68eed82SGleb Smirnoff.\" Redistribution and use in source and binary forms, with or without
5c68eed82SGleb Smirnoff.\" modification, are permitted provided that the following conditions
6c68eed82SGleb Smirnoff.\" are met:
7c68eed82SGleb Smirnoff.\" 1. Redistributions of source code must retain the above copyright
8c68eed82SGleb Smirnoff.\"    notice, this list of conditions and the following disclaimer.
9c68eed82SGleb Smirnoff.\" 2. Redistributions in binary form must reproduce the above copyright
10c68eed82SGleb Smirnoff.\"    notice, this list of conditions and the following disclaimer in the
11c68eed82SGleb Smirnoff.\"    documentation and/or other materials provided with the distribution.
12c68eed82SGleb Smirnoff.\"
13c68eed82SGleb Smirnoff.\" THIS SOFTWARE IS PROVIDED BY THE DEVELOPERS ``AS IS'' AND ANY EXPRESS OR
14c68eed82SGleb Smirnoff.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
15c68eed82SGleb Smirnoff.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
16c68eed82SGleb Smirnoff.\" IN NO EVENT SHALL THE DEVELOPERS BE LIABLE FOR ANY DIRECT, INDIRECT,
17c68eed82SGleb Smirnoff.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
18c68eed82SGleb Smirnoff.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
19c68eed82SGleb Smirnoff.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
20c68eed82SGleb Smirnoff.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
21c68eed82SGleb Smirnoff.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
22c68eed82SGleb Smirnoff.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
23c68eed82SGleb Smirnoff.\" "
24c68eed82SGleb Smirnoff.Dd April 24, 2024
25c68eed82SGleb Smirnoff.Dt ACCF_TLS 9
26c68eed82SGleb Smirnoff.Os
27c68eed82SGleb Smirnoff.Sh NAME
28c68eed82SGleb Smirnoff.Nm accf_tls
29*e5a54f19SBenedict Reuschling.Nd "buffer incoming connections until a TLS handshake like request arrives"
30c68eed82SGleb Smirnoff.Sh SYNOPSIS
31c68eed82SGleb Smirnoff.Nm options INET
32c68eed82SGleb Smirnoff.Nm options ACCEPT_FILTER_TLS
33c68eed82SGleb Smirnoff.Nm kldload accf_tls
34c68eed82SGleb Smirnoff.Sh DESCRIPTION
35c68eed82SGleb SmirnoffThis is a filter to be placed on a socket that will be using
36c68eed82SGleb Smirnoff.Fn accept 2
37c68eed82SGleb Smirnoffto receive incoming HTTPS connections.
38c68eed82SGleb SmirnoffIt prevents the application from receiving the connected descriptor via
39c68eed82SGleb Smirnoff.Fn accept 2
40c68eed82SGleb Smirnoffuntil a full TLS handshake has been buffered by the kernel.
41c68eed82SGleb SmirnoffThe
42c68eed82SGleb Smirnoff.Nm
43c68eed82SGleb Smirnoffwill first check that byte at offset 0 is
44c68eed82SGleb Smirnoff.Va 0x16 ,
45c68eed82SGleb Smirnoffwhich matches handshake type.
46c68eed82SGleb SmirnoffThen it will read 2-byte request length value at offset 3 and will
47c68eed82SGleb Smirnoffcontinue reading until reading the entire length of the handshake is buffered.
48c68eed82SGleb SmirnoffIf something other than
49c68eed82SGleb Smirnoff.Va 0x16
50c68eed82SGleb Smirnoffis at offset 0, the kernel will allow the application to receive the
51c68eed82SGleb Smirnoffconnection descriptor via
52c68eed82SGleb Smirnoff.Fn accept 2 .
53c68eed82SGleb Smirnoff.Pp
54c68eed82SGleb SmirnoffThe utility of
55c68eed82SGleb Smirnoff.Nm
56c68eed82SGleb Smirnoffis such that a server will not have to context switch several times
57c68eed82SGleb Smirnoffbefore performing the initial parsing of the request.
58c68eed82SGleb SmirnoffThis effectively reduces the amount of required CPU utilization
59c68eed82SGleb Smirnoffto handle incoming requests by keeping active
60c68eed82SGleb Smirnoffprocesses in preforking servers such as Apache low
61c68eed82SGleb Smirnoffand reducing the size of the file descriptor set that needs
62c68eed82SGleb Smirnoffto be managed by interfaces such as
63c68eed82SGleb Smirnoff.Fn select ,
64c68eed82SGleb Smirnoff.Fn poll
65c68eed82SGleb Smirnoffor
66c68eed82SGleb Smirnoff.Fn kevent
67c68eed82SGleb Smirnoffbased servers.
68c68eed82SGleb Smirnoff.Sh EXAMPLES
69c68eed82SGleb SmirnoffAssuming ACCEPT_FILTER_TLS has been included in the kernel config
70c68eed82SGleb Smirnofffile or the
71c68eed82SGleb Smirnoff.Nm
72c68eed82SGleb Smirnoffmodule
73c68eed82SGleb Smirnoffhas been loaded, this will enable the TLS accept filter
74c68eed82SGleb Smirnoffon the socket
75c68eed82SGleb Smirnoff.Fa sok .
76c68eed82SGleb Smirnoff.Bd -literal -offset 0i
77c68eed82SGleb Smirnoff	struct accept_filter_arg afa;
78c68eed82SGleb Smirnoff
79c68eed82SGleb Smirnoff	bzero(&afa, sizeof(afa));
80c68eed82SGleb Smirnoff	strcpy(afa.af_name, "tlsready");
81c68eed82SGleb Smirnoff	setsockopt(sok, SOL_SOCKET, SO_ACCEPTFILTER, &afa, sizeof(afa));
82c68eed82SGleb Smirnoff.Ed
83c68eed82SGleb Smirnoff.Sh SEE ALSO
84c68eed82SGleb Smirnoff.Xr setsockopt 2 ,
85c68eed82SGleb Smirnoff.Xr accept_filter 9
86c68eed82SGleb Smirnoff.Sh HISTORY
87c68eed82SGleb SmirnoffThe
88c68eed82SGleb Smirnoff.Nm
89c68eed82SGleb Smirnoffaccept filter was introduced in
90c68eed82SGleb Smirnoff.Fx 15.0 .
91c68eed82SGleb Smirnoff.Sh AUTHORS
92c68eed82SGleb SmirnoffThe
93c68eed82SGleb Smirnoff.Nm
94c68eed82SGleb Smirnofffilter was written by
95c68eed82SGleb Smirnoff.An Maksim Yevmenkin .
96