That is an interesting exercise, thank you, Dridi. For TLS on TCP, I would hope that passing the session key and file descriptor would work. Have you checked already to which extend this is supported by existing library code?
Yet with the H3/QUIC madness on the horizon, I am not sure if connect()ing the SOCK_DGRAM and passing the fd would work. The way I read the QUIC draft, connections are primarily identified by their ID and migrations need to be supported. I have made no coding attempt on my own, but my impression was that the natural implementation the authors had in mind was a recvfrom(2) loop matching packets based on their connection ID with spoof detection. So, Dridi, have you had a closer look yet if/how your idea could work with QUIC? Somehow related: How about having the process owning the private keys also handle all receives into multiple ringbuffers, somehow similar to vsm, but with overrun protection? Nils _______________________________________________ varnish-dev mailing list varnish-dev@varnish-cache.org https://www.varnish-cache.org/lists/mailman/listinfo/varnish-dev
