diff options
author | Laurent Bercot <ska-skaware@skarnet.org> | 2021-01-28 13:17:25 +0000 |
---|---|---|
committer | Laurent Bercot <ska-skaware@skarnet.org> | 2021-01-28 13:17:25 +0000 |
commit | a027959a7fe49483acf86bd65d4266e3cbc4d0b0 (patch) | |
tree | 4a3f23cd34d53a33c1e08374a4911e827bcbd669 | |
parent | 0545d612be4529492a86a98b5f066d58d7c9436a (diff) | |
download | s6-networking-a027959a7fe49483acf86bd65d4266e3cbc4d0b0.tar.xz |
Prepare for 2.4.1.0; add SSL_TLS_SNI_SERVERNAME
-rw-r--r-- | INSTALL | 8 | ||||
-rw-r--r-- | NEWS | 9 | ||||
-rw-r--r-- | doc/index.html | 10 | ||||
-rw-r--r-- | doc/s6-tlsc-io.html | 7 | ||||
-rw-r--r-- | doc/s6-tlsc.html | 2 | ||||
-rw-r--r-- | doc/s6-tlsd-io.html | 7 | ||||
-rw-r--r-- | doc/s6-tlsd.html | 2 | ||||
-rw-r--r-- | doc/upgrade.html | 19 | ||||
-rw-r--r-- | package/info | 2 | ||||
-rw-r--r-- | src/sbearssl/sbearssl_send_environment.c | 3 | ||||
-rw-r--r-- | src/stls/stls_send_environment.c | 8 |
11 files changed, 61 insertions, 16 deletions
@@ -6,10 +6,10 @@ Build Instructions - A POSIX-compliant C development environment - GNU make version 3.81 or later - - skalibs version 2.10.0.0 or later: https://skarnet.org/software/skalibs/ - - Optional (but recommended): execline version 2.7.0.0 or later: https://skarnet.org/software/execline/ - - s6 version 2.10.0.0 or later: https://skarnet.org/software/s6/ - - s6-dns version 2.3.3.0 or later: https://skarnet.org/software/s6-dns/ + - skalibs version 2.10.0.1 or later: https://skarnet.org/software/skalibs/ + - Optional (but recommended): execline version 2.7.0.1 or later: https://skarnet.org/software/execline/ + - s6 version 2.10.0.1 or later: https://skarnet.org/software/s6/ + - s6-dns version 2.3.5.0 or later: https://skarnet.org/software/s6-dns/ - Depending on whether you build the SSL tools, bearssl version 0.6 or later: https://bearssl.org/ or libressl version 3.2.2 or later: https://libressl.org/ @@ -1,5 +1,14 @@ Changelog for s6-networking. +In 2.4.1.0 +---------- + + - Bugfixes. + - Handshake timeout now also works with the libtls backend. + - The SNI server name is now exported after the handshake in +the SSL_TLS_SNI_SERVERNAME variable. + + In 2.4.0.0 ---------- diff --git a/doc/index.html b/doc/index.html index 904fc85..7d39b4e 100644 --- a/doc/index.html +++ b/doc/index.html @@ -44,15 +44,15 @@ compiled with IPv6 support, s6-networking is IPv6-ready. <li> A POSIX-compliant system with a standard C development environment </li> <li> GNU make, version 3.81 or later </li> <li> <a href="//skarnet.org/software/skalibs/">skalibs</a> version -2.10.0.0 or later. It's a build-time requirement. It's also a run-time +2.10.0.1 or later. It's a build-time requirement. It's also a run-time requirement if you link against the shared version of the skalibs library. </li> <li> (Optional, but recommended) <a href="//skarnet.org/software/execline/">execline</a> version -2.7.0.0 or later. It's a build-time and run-time requirement. </li> +2.7.0.1 or later. It's a build-time and run-time requirement. </li> <li> <a href="//skarnet.org/software/s6/">s6</a> version -2.10.0.0 or later. It's a build-time and run-time requirement. </li> +2.10.0.1 or later. It's a build-time and run-time requirement. </li> <li> <a href="//skarnet.org/software/s6-dns/">s6-dns</a> version -2.3.3.0 or later. It's a build-time requirement. It's also a run-time +2.3.5.0 or later. It's a build-time requirement. It's also a run-time requirement if you link against the shared version of the s6-dns libraries. </li> <li> If you want to build the secure communication tools: @@ -80,7 +80,7 @@ run-time requirement if you link against its shared version. </li> <ul> <li> The current released version of s6-networking is -<a href="s6-networking-2.4.0.0.tar.gz">2.4.0.0</a>. </li> +<a href="s6-networking-2.4.1.0.tar.gz">2.4.1.0</a>. </li> <li> Alternatively, you can checkout a copy of the <a href="//git.skarnet.org/cgi-bin/cgit.cgi/s6-networking/">s6-networking git repository</a>: diff --git a/doc/s6-tlsc-io.html b/doc/s6-tlsc-io.html index b2e9ce1..9999d4f 100644 --- a/doc/s6-tlsc-io.html +++ b/doc/s6-tlsc-io.html @@ -205,8 +205,11 @@ TLS handshake has completed, some data (terminated by two null characters) will be sent to file descriptor <em>notif</em>. The data contains information about the TLS parameters of the connection; its exact contents are left unspecified, but there's at least -a <tt>SSL_PROTOCOL=<em>protocol</em></tt> string -and a <tt>SSL_CIPHER=<em>cipher</em></tt> string, both null-terminated. +a <tt>SSL_PROTOCOL=<em>protocol</em></tt> string, +a <tt>SSL_CIPHER=<em>cipher</em></tt> string, +and a <tt>SSL_TLS_SNI_SERVERNAME=<em>servername</em></tt> string + all null-terminated. (<em>servername</em> is the empty string if +no SNI has been required.) Sending this data serves a dual purpose: telling the <em>notif</em> reader that the handshake has completed, and providing it with some basic information about the connection. If this option is not given, diff --git a/doc/s6-tlsc.html b/doc/s6-tlsc.html index 5ff3431..32070c0 100644 --- a/doc/s6-tlsc.html +++ b/doc/s6-tlsc.html @@ -95,6 +95,8 @@ environment variables: TLSv1, TLSv1.1, TLSv1.2... </li> <li> <tt>SSL_CIPHER</tt> contains the name of the cipher used. </li> + <li> <tt>SSL_TLS_SNI_SERVERNAME</tt> contains the required SNI +server name, if any, or is empty otherwise. </li> <li> More similar environment variables containing information about the connection may be added in the future. </li> </ul> diff --git a/doc/s6-tlsd-io.html b/doc/s6-tlsd-io.html index 8f84728..53b1282 100644 --- a/doc/s6-tlsd-io.html +++ b/doc/s6-tlsd-io.html @@ -200,8 +200,11 @@ TLS handshake has completed, some data (terminated by two null characters) will be sent to file descriptor <em>notif</em>. The data contains information about the TLS parameters of the connection; its exact contents are left unspecified, but there's at least -a <tt>SSL_PROTOCOL=<em>protocol</em></tt> string -and a <tt>SSL_CIPHER=<em>cipher</em></tt> string, both null-terminated. +a <tt>SSL_PROTOCOL=<em>protocol</em></tt> string, +a <tt>SSL_CIPHER=<em>cipher</em></tt> string, +and a <tt>SSL_TLS_SNI_SERVERNAME=<em>servername</em></tt> string + all null-terminated. (<em>servername</em> is the empty string if +no SNI has been required.) Sending this data serves a dual purpose: telling the <em>notif</em> reader that the handshake has completed, and providing it with some basic information about the connection. If this option is not given, diff --git a/doc/s6-tlsd.html b/doc/s6-tlsd.html index 579c63c..83b70c1 100644 --- a/doc/s6-tlsd.html +++ b/doc/s6-tlsd.html @@ -104,6 +104,8 @@ environment variables: TLSv1, TLSv1.1, TLSv1.2... </li> <li> <tt>SSL_CIPHER</tt> contains the name of the cipher used. </li> + <li> <tt>SSL_TLS_SNI_SERVERNAME</tt> contains the required SNI +server name, if any, or is empty otherwise. </li> <li> More similar environment variables containing information about the connection may be added in the future. </li> </ul> diff --git a/doc/upgrade.html b/doc/upgrade.html index 4df1cb7..c285749 100644 --- a/doc/upgrade.html +++ b/doc/upgrade.html @@ -18,6 +18,25 @@ <h1> What has changed in s6-networking </h1> +<h2> in 2.4.1.0 </h2> + +<ul> + <li> <a href="//skarnet.org/software/skalibs/">skalibs</a> +dependency bumped to 2.10.0.1 </li> + <li> <a href="//skarnet.org/software/execline/">execline</a> +dependency bumped to 2.7.0.1 </li> + <li> <a href="//skarnet.org/software/s6/">s6</a> +dependency bumped to 2.10.0.1 </li> + <li> <a href="//skarnet.org/software/s6-dns/">s6-dns</a> +dependency bumped to 2.3.5.0. </li> + <li> Handshake timeout is now functional with the <em>libtls</em> +backend (previously it only was with the <em>bearssl</em> backend). </li> + <li> <a href="s6-tlsc-io.html">s6-tlsc-io</a> and +<a href="s6-tlsd-io.html">s6-tlsd-io</a> now send the SNI server name, +if any, in their notification message (when the <tt>-d</tt> option is +active), in the <tt>SSL_TLS_SNI_SERVERNAME</tt> variable. </li> +</ul> + <h2> in 2.4.0.0 </h2> <ul> diff --git a/package/info b/package/info index e053193..539353c 100644 --- a/package/info +++ b/package/info @@ -1,4 +1,4 @@ package=s6-networking -version=2.4.0.0 +version=2.4.1.0 category=net package_macro_name=S6_NETWORKING diff --git a/src/sbearssl/sbearssl_send_environment.c b/src/sbearssl/sbearssl_send_environment.c index 3e1f1e1..2439351 100644 --- a/src/sbearssl/sbearssl_send_environment.c +++ b/src/sbearssl/sbearssl_send_environment.c @@ -25,6 +25,9 @@ int sbearssl_send_environment (br_ssl_engine_context *ctx, int fd) || buffer_put(&b, "", 1) < 0 || buffer_puts(&b, "SSL_CIPHER=") < 0 || buffer_puts(&b, suite) < 0 + || buffer_put(&b, "", 1) < 0 + || buffer_puts(&b, "SSL_TLS_SNI_SERVERNAME=") < 0 + || buffer_puts(&b, br_ssl_engine_get_server_name(ctx)) < 0 || buffer_putflush(&b, "\0", 2) < 0) return 0 ; return 1 ; diff --git a/src/stls/stls_send_environment.c b/src/stls/stls_send_environment.c index 1c13602..af0eeb6 100644 --- a/src/stls/stls_send_environment.c +++ b/src/stls/stls_send_environment.c @@ -11,14 +11,18 @@ int stls_send_environment (struct tls *ctx, int fd) { + char const *servername = tls_conn_servername(ctx) ; char buf[4096] ; buffer b = BUFFER_INIT(&buffer_write, fd, buf, 4096) ; + if (!servername) servername = "" ; if (buffer_puts(&b, "SSL_PROTOCOL=") < 0 || buffer_puts(&b, tls_conn_version(ctx)) < 0 || buffer_put(&b, "", 1) < 0 || buffer_puts(&b, "SSL_CIPHER=") < 0 || buffer_puts(&b, tls_conn_cipher(ctx)) < 0 - || buffer_putflush(&b, "\0", 2) < 0) - return 0 ; + || buffer_put(&b, "", 1) < 0 + || buffer_puts(&b, "SSL_TLS_SNI_SERVERNAME=") < 0 + || buffer_puts(&b, servername) < 0 + || buffer_putflush(&b, "\0", 2) < 0) return 0 ; return 1 ; } |