TLS Termination at the Application | Mcaster1 DNAS

Coming soon. This article is on the writing queue. The outline below sketches what the finished piece will cover. In the meantime, the Celenite Stack reference and the source on github.com/davestj are the best places to dig into the underlying systems.

A practical walkthrough of moving TLS termination out of the proxy layer and into the application daemon itself — OpenSSL setup, modern cipher suites, per-listener mTLS, and what you gain operationally by owning the socket from accept() to response.

Live repository

davestj/Mcaster1BackDraft private

Web Application Firewall + nginx Log Analyzer + SysOps

0 0 PHP Mar 25, 2026

What the article will cover

Why move TLS out of the proxy

The cost of an extra hop, the value of certs-as-code, and what per-listener mTLS unlocks.

OpenSSL bootstrap

Initializing a TLS context, loading certs from disk, picking a modern cipher suite, enabling session resumption.

The accept() loop

How a hardware-aware thread pool hands off TLS handshakes without blocking the listen socket.

Per-listener client certs

Optional mTLS on a subset of endpoints (e.g., the agent API) without affecting public TLS.

Cert rotation without downtime

SIGHUP-driven reload pattern. What in-flight connections do during a rotation.

What you lose vs gain

No ALB-style WAF in front, no edge caching for free. But: simpler ops, tighter security boundary, easier debugging.

tlsopensslc++security