1*c68eed82SGleb Smirnoff.\" 2*c68eed82SGleb Smirnoff.\" Copyright (c) 2024 Gleb Smirnoff <glebius@FreeBSD.org> 3*c68eed82SGleb Smirnoff.\" 4*c68eed82SGleb Smirnoff.\" Redistribution and use in source and binary forms, with or without 5*c68eed82SGleb Smirnoff.\" modification, are permitted provided that the following conditions 6*c68eed82SGleb Smirnoff.\" are met: 7*c68eed82SGleb Smirnoff.\" 1. Redistributions of source code must retain the above copyright 8*c68eed82SGleb Smirnoff.\" notice, this list of conditions and the following disclaimer. 9*c68eed82SGleb Smirnoff.\" 2. Redistributions in binary form must reproduce the above copyright 10*c68eed82SGleb Smirnoff.\" notice, this list of conditions and the following disclaimer in the 11*c68eed82SGleb Smirnoff.\" documentation and/or other materials provided with the distribution. 12*c68eed82SGleb Smirnoff.\" 13*c68eed82SGleb Smirnoff.\" THIS SOFTWARE IS PROVIDED BY THE DEVELOPERS ``AS IS'' AND ANY EXPRESS OR 14*c68eed82SGleb Smirnoff.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 15*c68eed82SGleb Smirnoff.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 16*c68eed82SGleb Smirnoff.\" IN NO EVENT SHALL THE DEVELOPERS BE LIABLE FOR ANY DIRECT, INDIRECT, 17*c68eed82SGleb Smirnoff.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 18*c68eed82SGleb Smirnoff.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 19*c68eed82SGleb Smirnoff.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 20*c68eed82SGleb Smirnoff.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 21*c68eed82SGleb Smirnoff.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 22*c68eed82SGleb Smirnoff.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 23*c68eed82SGleb Smirnoff.\" " 24*c68eed82SGleb Smirnoff.Dd April 24, 2024 25*c68eed82SGleb Smirnoff.Dt ACCF_TLS 9 26*c68eed82SGleb Smirnoff.Os 27*c68eed82SGleb Smirnoff.Sh NAME 28*c68eed82SGleb Smirnoff.Nm accf_tls 29*c68eed82SGleb Smirnoff.Nd "buffer incoming connections until a TLS handshake like requests arrive" 30*c68eed82SGleb Smirnoff.Sh SYNOPSIS 31*c68eed82SGleb Smirnoff.Nm options INET 32*c68eed82SGleb Smirnoff.Nm options ACCEPT_FILTER_TLS 33*c68eed82SGleb Smirnoff.Nm kldload accf_tls 34*c68eed82SGleb Smirnoff.Sh DESCRIPTION 35*c68eed82SGleb SmirnoffThis is a filter to be placed on a socket that will be using 36*c68eed82SGleb Smirnoff.Fn accept 2 37*c68eed82SGleb Smirnoffto receive incoming HTTPS connections. 38*c68eed82SGleb SmirnoffIt prevents the application from receiving the connected descriptor via 39*c68eed82SGleb Smirnoff.Fn accept 2 40*c68eed82SGleb Smirnoffuntil a full TLS handshake has been buffered by the kernel. 41*c68eed82SGleb SmirnoffThe 42*c68eed82SGleb Smirnoff.Nm 43*c68eed82SGleb Smirnoffwill first check that byte at offset 0 is 44*c68eed82SGleb Smirnoff.Va 0x16 , 45*c68eed82SGleb Smirnoffwhich matches handshake type. 46*c68eed82SGleb SmirnoffThen it will read 2-byte request length value at offset 3 and will 47*c68eed82SGleb Smirnoffcontinue reading until reading the entire length of the handshake is buffered. 48*c68eed82SGleb SmirnoffIf something other than 49*c68eed82SGleb Smirnoff.Va 0x16 50*c68eed82SGleb Smirnoffis at offset 0, the kernel will allow the application to receive the 51*c68eed82SGleb Smirnoffconnection descriptor via 52*c68eed82SGleb Smirnoff.Fn accept 2 . 53*c68eed82SGleb Smirnoff.Pp 54*c68eed82SGleb SmirnoffThe utility of 55*c68eed82SGleb Smirnoff.Nm 56*c68eed82SGleb Smirnoffis such that a server will not have to context switch several times 57*c68eed82SGleb Smirnoffbefore performing the initial parsing of the request. 58*c68eed82SGleb SmirnoffThis effectively reduces the amount of required CPU utilization 59*c68eed82SGleb Smirnoffto handle incoming requests by keeping active 60*c68eed82SGleb Smirnoffprocesses in preforking servers such as Apache low 61*c68eed82SGleb Smirnoffand reducing the size of the file descriptor set that needs 62*c68eed82SGleb Smirnoffto be managed by interfaces such as 63*c68eed82SGleb Smirnoff.Fn select , 64*c68eed82SGleb Smirnoff.Fn poll 65*c68eed82SGleb Smirnoffor 66*c68eed82SGleb Smirnoff.Fn kevent 67*c68eed82SGleb Smirnoffbased servers. 68*c68eed82SGleb Smirnoff.Sh EXAMPLES 69*c68eed82SGleb SmirnoffAssuming ACCEPT_FILTER_TLS has been included in the kernel config 70*c68eed82SGleb Smirnofffile or the 71*c68eed82SGleb Smirnoff.Nm 72*c68eed82SGleb Smirnoffmodule 73*c68eed82SGleb Smirnoffhas been loaded, this will enable the TLS accept filter 74*c68eed82SGleb Smirnoffon the socket 75*c68eed82SGleb Smirnoff.Fa sok . 76*c68eed82SGleb Smirnoff.Bd -literal -offset 0i 77*c68eed82SGleb Smirnoff struct accept_filter_arg afa; 78*c68eed82SGleb Smirnoff 79*c68eed82SGleb Smirnoff bzero(&afa, sizeof(afa)); 80*c68eed82SGleb Smirnoff strcpy(afa.af_name, "tlsready"); 81*c68eed82SGleb Smirnoff setsockopt(sok, SOL_SOCKET, SO_ACCEPTFILTER, &afa, sizeof(afa)); 82*c68eed82SGleb Smirnoff.Ed 83*c68eed82SGleb Smirnoff.Sh SEE ALSO 84*c68eed82SGleb Smirnoff.Xr setsockopt 2 , 85*c68eed82SGleb Smirnoff.Xr accept_filter 9 86*c68eed82SGleb Smirnoff.Sh HISTORY 87*c68eed82SGleb SmirnoffThe 88*c68eed82SGleb Smirnoff.Nm 89*c68eed82SGleb Smirnoffaccept filter was introduced in 90*c68eed82SGleb Smirnoff.Fx 15.0 . 91*c68eed82SGleb Smirnoff.Sh AUTHORS 92*c68eed82SGleb SmirnoffThe 93*c68eed82SGleb Smirnoff.Nm 94*c68eed82SGleb Smirnofffilter was written by 95*c68eed82SGleb Smirnoff.An Maksim Yevmenkin . 96