1.\" 2.\" Copyright (c) 2024 Gleb Smirnoff <glebius@FreeBSD.org> 3.\" 4.\" Redistribution and use in source and binary forms, with or without 5.\" modification, are permitted provided that the following conditions 6.\" are met: 7.\" 1. Redistributions of source code must retain the above copyright 8.\" notice, this list of conditions and the following disclaimer. 9.\" 2. Redistributions in binary form must reproduce the above copyright 10.\" notice, this list of conditions and the following disclaimer in the 11.\" documentation and/or other materials provided with the distribution. 12.\" 13.\" THIS SOFTWARE IS PROVIDED BY THE DEVELOPERS ``AS IS'' AND ANY EXPRESS OR 14.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 15.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 16.\" IN NO EVENT SHALL THE DEVELOPERS BE LIABLE FOR ANY DIRECT, INDIRECT, 17.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 18.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 19.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 20.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 21.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 22.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 23.\" " 24.Dd April 24, 2024 25.Dt ACCF_TLS 9 26.Os 27.Sh NAME 28.Nm accf_tls 29.Nd "buffer incoming connections until a TLS handshake like requests arrive" 30.Sh SYNOPSIS 31.Nm options INET 32.Nm options ACCEPT_FILTER_TLS 33.Nm kldload accf_tls 34.Sh DESCRIPTION 35This is a filter to be placed on a socket that will be using 36.Fn accept 2 37to receive incoming HTTPS connections. 38It prevents the application from receiving the connected descriptor via 39.Fn accept 2 40until a full TLS handshake has been buffered by the kernel. 41The 42.Nm 43will first check that byte at offset 0 is 44.Va 0x16 , 45which matches handshake type. 46Then it will read 2-byte request length value at offset 3 and will 47continue reading until reading the entire length of the handshake is buffered. 48If something other than 49.Va 0x16 50is at offset 0, the kernel will allow the application to receive the 51connection descriptor via 52.Fn accept 2 . 53.Pp 54The utility of 55.Nm 56is such that a server will not have to context switch several times 57before performing the initial parsing of the request. 58This effectively reduces the amount of required CPU utilization 59to handle incoming requests by keeping active 60processes in preforking servers such as Apache low 61and reducing the size of the file descriptor set that needs 62to be managed by interfaces such as 63.Fn select , 64.Fn poll 65or 66.Fn kevent 67based servers. 68.Sh EXAMPLES 69Assuming ACCEPT_FILTER_TLS has been included in the kernel config 70file or the 71.Nm 72module 73has been loaded, this will enable the TLS accept filter 74on the socket 75.Fa sok . 76.Bd -literal -offset 0i 77 struct accept_filter_arg afa; 78 79 bzero(&afa, sizeof(afa)); 80 strcpy(afa.af_name, "tlsready"); 81 setsockopt(sok, SOL_SOCKET, SO_ACCEPTFILTER, &afa, sizeof(afa)); 82.Ed 83.Sh SEE ALSO 84.Xr setsockopt 2 , 85.Xr accept_filter 9 86.Sh HISTORY 87The 88.Nm 89accept filter was introduced in 90.Fx 15.0 . 91.Sh AUTHORS 92The 93.Nm 94filter was written by 95.An Maksim Yevmenkin . 96