xref: /freebsd/share/man/man9/accf_tls.9 (revision b64c5a0ace59af62eff52bfe110a521dc73c937b)
1.\"
2.\" Copyright (c) 2024 Gleb Smirnoff <glebius@FreeBSD.org>
3.\"
4.\" Redistribution and use in source and binary forms, with or without
5.\" modification, are permitted provided that the following conditions
6.\" are met:
7.\" 1. Redistributions of source code must retain the above copyright
8.\"    notice, this list of conditions and the following disclaimer.
9.\" 2. Redistributions in binary form must reproduce the above copyright
10.\"    notice, this list of conditions and the following disclaimer in the
11.\"    documentation and/or other materials provided with the distribution.
12.\"
13.\" THIS SOFTWARE IS PROVIDED BY THE DEVELOPERS ``AS IS'' AND ANY EXPRESS OR
14.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
15.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
16.\" IN NO EVENT SHALL THE DEVELOPERS BE LIABLE FOR ANY DIRECT, INDIRECT,
17.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
18.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
19.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
20.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
21.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
22.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
23.\" "
24.Dd April 24, 2024
25.Dt ACCF_TLS 9
26.Os
27.Sh NAME
28.Nm accf_tls
29.Nd "buffer incoming connections until a TLS handshake like request arrives"
30.Sh SYNOPSIS
31.Nm options INET
32.Nm options ACCEPT_FILTER_TLS
33.Nm kldload accf_tls
34.Sh DESCRIPTION
35This is a filter to be placed on a socket that will be using
36.Fn accept 2
37to receive incoming HTTPS connections.
38It prevents the application from receiving the connected descriptor via
39.Fn accept 2
40until a full TLS handshake has been buffered by the kernel.
41The
42.Nm
43will first check that byte at offset 0 is
44.Va 0x16 ,
45which matches handshake type.
46Then it will read 2-byte request length value at offset 3 and will
47continue reading until reading the entire length of the handshake is buffered.
48If something other than
49.Va 0x16
50is at offset 0, the kernel will allow the application to receive the
51connection descriptor via
52.Fn accept 2 .
53.Pp
54The utility of
55.Nm
56is such that a server will not have to context switch several times
57before performing the initial parsing of the request.
58This effectively reduces the amount of required CPU utilization
59to handle incoming requests by keeping active
60processes in preforking servers such as Apache low
61and reducing the size of the file descriptor set that needs
62to be managed by interfaces such as
63.Fn select ,
64.Fn poll
65or
66.Fn kevent
67based servers.
68.Sh EXAMPLES
69Assuming ACCEPT_FILTER_TLS has been included in the kernel config
70file or the
71.Nm
72module
73has been loaded, this will enable the TLS accept filter
74on the socket
75.Fa sok .
76.Bd -literal -offset 0i
77	struct accept_filter_arg afa;
78
79	bzero(&afa, sizeof(afa));
80	strcpy(afa.af_name, "tlsready");
81	setsockopt(sok, SOL_SOCKET, SO_ACCEPTFILTER, &afa, sizeof(afa));
82.Ed
83.Sh SEE ALSO
84.Xr setsockopt 2 ,
85.Xr accept_filter 9
86.Sh HISTORY
87The
88.Nm
89accept filter was introduced in
90.Fx 15.0 .
91.Sh AUTHORS
92The
93.Nm
94filter was written by
95.An Maksim Yevmenkin .
96