diff options
Diffstat (limited to 'share/man/man9/accf_tls.9')
| -rw-r--r-- | share/man/man9/accf_tls.9 | 95 |
1 files changed, 95 insertions, 0 deletions
diff --git a/share/man/man9/accf_tls.9 b/share/man/man9/accf_tls.9 new file mode 100644 index 000000000000..331ea2aa4fb8 --- /dev/null +++ b/share/man/man9/accf_tls.9 @@ -0,0 +1,95 @@ +.\" +.\" Copyright (c) 2024 Gleb Smirnoff <glebius@FreeBSD.org> +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE DEVELOPERS ``AS IS'' AND ANY EXPRESS OR +.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES +.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. +.\" IN NO EVENT SHALL THE DEVELOPERS BE LIABLE FOR ANY DIRECT, INDIRECT, +.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT +.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, +.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY +.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF +.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +.\" " +.Dd April 24, 2024 +.Dt ACCF_TLS 9 +.Os +.Sh NAME +.Nm accf_tls +.Nd "buffer incoming connections until a TLS handshake like requests arrive" +.Sh SYNOPSIS +.Nm options INET +.Nm options ACCEPT_FILTER_TLS +.Nm kldload accf_tls +.Sh DESCRIPTION +This is a filter to be placed on a socket that will be using +.Fn accept 2 +to receive incoming HTTPS connections. +It prevents the application from receiving the connected descriptor via +.Fn accept 2 +until a full TLS handshake has been buffered by the kernel. +The +.Nm +will first check that byte at offset 0 is +.Va 0x16 , +which matches handshake type. +Then it will read 2-byte request length value at offset 3 and will +continue reading until reading the entire length of the handshake is buffered. +If something other than +.Va 0x16 +is at offset 0, the kernel will allow the application to receive the +connection descriptor via +.Fn accept 2 . +.Pp +The utility of +.Nm +is such that a server will not have to context switch several times +before performing the initial parsing of the request. +This effectively reduces the amount of required CPU utilization +to handle incoming requests by keeping active +processes in preforking servers such as Apache low +and reducing the size of the file descriptor set that needs +to be managed by interfaces such as +.Fn select , +.Fn poll +or +.Fn kevent +based servers. +.Sh EXAMPLES +Assuming ACCEPT_FILTER_TLS has been included in the kernel config +file or the +.Nm +module +has been loaded, this will enable the TLS accept filter +on the socket +.Fa sok . +.Bd -literal -offset 0i + struct accept_filter_arg afa; + + bzero(&afa, sizeof(afa)); + strcpy(afa.af_name, "tlsready"); + setsockopt(sok, SOL_SOCKET, SO_ACCEPTFILTER, &afa, sizeof(afa)); +.Ed +.Sh SEE ALSO +.Xr setsockopt 2 , +.Xr accept_filter 9 +.Sh HISTORY +The +.Nm +accept filter was introduced in +.Fx 15.0 . +.Sh AUTHORS +The +.Nm +filter was written by +.An Maksim Yevmenkin . |