Add disableTransparentTls call

Summary: Similar to AsyncSocket, allow setting reserved sockopt after bind(). This will be recognized by intercepted accept4() call and forked sockets will properly have the TLS flag disabled. Reviewed By: djwatson Differential Revision: D4458831 fbshipit-source-id: fa753b9d849bd661563364d36229113f7abb0ee0

Add disableTransparentTls call
Summary: Similar to AsyncSocket, allow setting reserved sockopt after bind(). This will be recognized by intercepted accept4() call and forked sockets will properly have the TLS flag disabled. Reviewed By: djwatson Differential Revision: D4458831 fbshipit-source-id: fa753b9d849bd661563364d36229113f7abb0ee0
a73e2ed6 · Petr Lapukhov · Facebook Github Bot · eb8b2d91 · a73e2ed6 · a73e2ed6
Commit a73e2ed6 authored Jan 24, 2017 by Petr Lapukhov Committed by Facebook Github Bot Jan 24, 2017
Show whitespace changes
Inline Side-by-side

Showing with 34 additions and 0 deletions

folly/io/async/AsyncServerSocket.cpp folly/io/async/AsyncServerSocket.cpp +22 -0

folly/io/async/AsyncServerSocket.h folly/io/async/AsyncServerSocket.h +12 -0

No files found.
--- a/folly/io/async/AsyncServerSocket.cpp
+++ b/folly/io/async/AsyncServerSocket.cpp
@@ -281,6 +281,13 @@ void AsyncServerSocket::useExistingSockets(const std::vector<int>& fds) {
    SocketAddress address;
    address.setFromLocalAddress(fd);

+#if __linux__
+    if (noTransparentTls_) {
+      // Ignore return value, errors are ok
+      setsockopt(fd, SOL_SOCKET, SO_NO_TRANSPARENT_TLS, nullptr, 0);
+    }
+#endif
+
    setupSocket(fd, address.getFamily());
    sockets_.emplace_back(eventBase_, fd, this, address.getFamily());
    sockets_.back().changeHandlerFD(fd);
@@ -298,6 +305,7 @@ void AsyncServerSocket::bindSocket(
  sockaddr_storage addrStorage;
  address.getAddress(&addrStorage);
  sockaddr* saddr = reinterpret_cast<sockaddr*>(&addrStorage);
+
  if (fsp::bind(fd, saddr, address.getActualSize()) != 0) {
    if (!isExistingSocket) {
      closeNoInt(fd);
@@ -307,6 +315,13 @@ void AsyncServerSocket::bindSocket(
        address.describe());
  }

+#if __linux__
+  if (noTransparentTls_) {
+    // Ignore return value, errors are ok
+    setsockopt(fd, SOL_SOCKET, SO_NO_TRANSPARENT_TLS, nullptr, 0);
+  }
+#endif
+
  // If we just created this socket, update the EventHandler and set socket_
  if (!isExistingSocket) {
    sockets_.emplace_back(eventBase_, fd, this, address.getFamily());
@@ -413,6 +428,13 @@ void AsyncServerSocket::bind(uint16_t port) {
          SocketAddress::getFamilyNameFrom(res->ai_addr, "<unknown>"));
    }

+#if __linux__
+    if (noTransparentTls_) {
+      // Ignore return value, errors are ok
+      setsockopt(s, SOL_SOCKET, SO_NO_TRANSPARENT_TLS, nullptr, 0);
+    }
+#endif
+
    SocketAddress address;
    address.setFromLocalAddress(s);


--- a/folly/io/async/AsyncServerSocket.h
+++ b/folly/io/async/AsyncServerSocket.h
@@ -38,6 +38,10 @@
 #define SO_REUSEPORT 15
 #endif

+#if defined __linux__ && !defined SO_NO_TRANSPARENT_TLS
+#define SO_NO_TRANSPARENT_TLS 200
+#endif
+
 namespace folly {

 /**
@@ -678,6 +682,13 @@ class AsyncServerSocket : public DelayedDestruction
    tfoMaxQueueSize_ = maxTFOQueueSize;
  }

+  /**
+   * Do not attempt the transparent TLS handshake
+   */
+  void disableTransparentTls() {
+    noTransparentTls_ = true;
+  }
+
  /**
   * Get whether or not the socket is accepting new connections
   */
@@ -857,6 +868,7 @@ class AsyncServerSocket : public DelayedDestruction
  bool reusePortEnabled_{false};
  bool closeOnExec_;
  bool tfo_{false};
+  bool noTransparentTls_{false};
  uint32_t tfoMaxQueueSize_{0};
  ShutdownSocketSet* shutdownSocketSet_;
  ConnectionEventCallback* connectionEventCallback_{nullptr};