summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorLaurent Bercot <ska-skaware@skarnet.org>2021-01-28 13:17:25 +0000
committerLaurent Bercot <ska-skaware@skarnet.org>2021-01-28 13:17:25 +0000
commita027959a7fe49483acf86bd65d4266e3cbc4d0b0 (patch)
tree4a3f23cd34d53a33c1e08374a4911e827bcbd669
parent0545d612be4529492a86a98b5f066d58d7c9436a (diff)
downloads6-networking-a027959a7fe49483acf86bd65d4266e3cbc4d0b0.tar.xz
Prepare for 2.4.1.0; add SSL_TLS_SNI_SERVERNAME
-rw-r--r--INSTALL8
-rw-r--r--NEWS9
-rw-r--r--doc/index.html10
-rw-r--r--doc/s6-tlsc-io.html7
-rw-r--r--doc/s6-tlsc.html2
-rw-r--r--doc/s6-tlsd-io.html7
-rw-r--r--doc/s6-tlsd.html2
-rw-r--r--doc/upgrade.html19
-rw-r--r--package/info2
-rw-r--r--src/sbearssl/sbearssl_send_environment.c3
-rw-r--r--src/stls/stls_send_environment.c8
11 files changed, 61 insertions, 16 deletions
diff --git a/INSTALL b/INSTALL
index 79a531a..07e2917 100644
--- a/INSTALL
+++ b/INSTALL
@@ -6,10 +6,10 @@ Build Instructions
- A POSIX-compliant C development environment
- GNU make version 3.81 or later
- - skalibs version 2.10.0.0 or later: https://skarnet.org/software/skalibs/
- - Optional (but recommended): execline version 2.7.0.0 or later: https://skarnet.org/software/execline/
- - s6 version 2.10.0.0 or later: https://skarnet.org/software/s6/
- - s6-dns version 2.3.3.0 or later: https://skarnet.org/software/s6-dns/
+ - skalibs version 2.10.0.1 or later: https://skarnet.org/software/skalibs/
+ - Optional (but recommended): execline version 2.7.0.1 or later: https://skarnet.org/software/execline/
+ - s6 version 2.10.0.1 or later: https://skarnet.org/software/s6/
+ - s6-dns version 2.3.5.0 or later: https://skarnet.org/software/s6-dns/
- Depending on whether you build the SSL tools,
bearssl version 0.6 or later: https://bearssl.org/
or libressl version 3.2.2 or later: https://libressl.org/
diff --git a/NEWS b/NEWS
index 83f2c29..e9e34ec 100644
--- a/NEWS
+++ b/NEWS
@@ -1,5 +1,14 @@
Changelog for s6-networking.
+In 2.4.1.0
+----------
+
+ - Bugfixes.
+ - Handshake timeout now also works with the libtls backend.
+ - The SNI server name is now exported after the handshake in
+the SSL_TLS_SNI_SERVERNAME variable.
+
+
In 2.4.0.0
----------
diff --git a/doc/index.html b/doc/index.html
index 904fc85..7d39b4e 100644
--- a/doc/index.html
+++ b/doc/index.html
@@ -44,15 +44,15 @@ compiled with IPv6 support, s6-networking is IPv6-ready.
<li> A POSIX-compliant system with a standard C development environment </li>
<li> GNU make, version 3.81 or later </li>
<li> <a href="//skarnet.org/software/skalibs/">skalibs</a> version
-2.10.0.0 or later. It's a build-time requirement. It's also a run-time
+2.10.0.1 or later. It's a build-time requirement. It's also a run-time
requirement if you link against the shared version of the skalibs
library. </li>
<li> (Optional, but recommended) <a href="//skarnet.org/software/execline/">execline</a> version
-2.7.0.0 or later. It's a build-time and run-time requirement. </li>
+2.7.0.1 or later. It's a build-time and run-time requirement. </li>
<li> <a href="//skarnet.org/software/s6/">s6</a> version
-2.10.0.0 or later. It's a build-time and run-time requirement. </li>
+2.10.0.1 or later. It's a build-time and run-time requirement. </li>
<li> <a href="//skarnet.org/software/s6-dns/">s6-dns</a> version
-2.3.3.0 or later. It's a build-time requirement. It's also a run-time
+2.3.5.0 or later. It's a build-time requirement. It's also a run-time
requirement if you link against the shared version of the s6-dns
libraries. </li>
<li> If you want to build the secure communication tools:
@@ -80,7 +80,7 @@ run-time requirement if you link against its shared version. </li>
<ul>
<li> The current released version of s6-networking is
-<a href="s6-networking-2.4.0.0.tar.gz">2.4.0.0</a>. </li>
+<a href="s6-networking-2.4.1.0.tar.gz">2.4.1.0</a>. </li>
<li> Alternatively, you can checkout a copy of the
<a href="//git.skarnet.org/cgi-bin/cgit.cgi/s6-networking/">s6-networking
git repository</a>:
diff --git a/doc/s6-tlsc-io.html b/doc/s6-tlsc-io.html
index b2e9ce1..9999d4f 100644
--- a/doc/s6-tlsc-io.html
+++ b/doc/s6-tlsc-io.html
@@ -205,8 +205,11 @@ TLS handshake has completed, some data (terminated by two null
characters) will be sent to file descriptor <em>notif</em>. The
data contains information about the TLS parameters of the connection;
its exact contents are left unspecified, but there's at least
-a <tt>SSL_PROTOCOL=<em>protocol</em></tt> string
-and a <tt>SSL_CIPHER=<em>cipher</em></tt> string, both null-terminated.
+a <tt>SSL_PROTOCOL=<em>protocol</em></tt> string,
+a <tt>SSL_CIPHER=<em>cipher</em></tt> string,
+and a <tt>SSL_TLS_SNI_SERVERNAME=<em>servername</em></tt> string
+ all null-terminated. (<em>servername</em> is the empty string if
+no SNI has been required.)
Sending this data serves a dual purpose: telling the <em>notif</em>
reader that the handshake has completed, and providing it with some
basic information about the connection. If this option is not given,
diff --git a/doc/s6-tlsc.html b/doc/s6-tlsc.html
index 5ff3431..32070c0 100644
--- a/doc/s6-tlsc.html
+++ b/doc/s6-tlsc.html
@@ -95,6 +95,8 @@ environment variables:
TLSv1, TLSv1.1, TLSv1.2... </li>
<li> <tt>SSL_CIPHER</tt> contains the name of the cipher
used. </li>
+ <li> <tt>SSL_TLS_SNI_SERVERNAME</tt> contains the required SNI
+server name, if any, or is empty otherwise. </li>
<li> More similar environment variables containing information
about the connection may be added in the future. </li>
</ul>
diff --git a/doc/s6-tlsd-io.html b/doc/s6-tlsd-io.html
index 8f84728..53b1282 100644
--- a/doc/s6-tlsd-io.html
+++ b/doc/s6-tlsd-io.html
@@ -200,8 +200,11 @@ TLS handshake has completed, some data (terminated by two null
characters) will be sent to file descriptor <em>notif</em>. The
data contains information about the TLS parameters of the connection;
its exact contents are left unspecified, but there's at least
-a <tt>SSL_PROTOCOL=<em>protocol</em></tt> string
-and a <tt>SSL_CIPHER=<em>cipher</em></tt> string, both null-terminated.
+a <tt>SSL_PROTOCOL=<em>protocol</em></tt> string,
+a <tt>SSL_CIPHER=<em>cipher</em></tt> string,
+and a <tt>SSL_TLS_SNI_SERVERNAME=<em>servername</em></tt> string
+ all null-terminated. (<em>servername</em> is the empty string if
+no SNI has been required.)
Sending this data serves a dual purpose: telling the <em>notif</em>
reader that the handshake has completed, and providing it with some
basic information about the connection. If this option is not given,
diff --git a/doc/s6-tlsd.html b/doc/s6-tlsd.html
index 579c63c..83b70c1 100644
--- a/doc/s6-tlsd.html
+++ b/doc/s6-tlsd.html
@@ -104,6 +104,8 @@ environment variables:
TLSv1, TLSv1.1, TLSv1.2... </li>
<li> <tt>SSL_CIPHER</tt> contains the name of the cipher
used. </li>
+ <li> <tt>SSL_TLS_SNI_SERVERNAME</tt> contains the required SNI
+server name, if any, or is empty otherwise. </li>
<li> More similar environment variables containing information
about the connection may be added in the future. </li>
</ul>
diff --git a/doc/upgrade.html b/doc/upgrade.html
index 4df1cb7..c285749 100644
--- a/doc/upgrade.html
+++ b/doc/upgrade.html
@@ -18,6 +18,25 @@
<h1> What has changed in s6-networking </h1>
+<h2> in 2.4.1.0 </h2>
+
+<ul>
+ <li> <a href="//skarnet.org/software/skalibs/">skalibs</a>
+dependency bumped to 2.10.0.1 </li>
+ <li> <a href="//skarnet.org/software/execline/">execline</a>
+dependency bumped to 2.7.0.1 </li>
+ <li> <a href="//skarnet.org/software/s6/">s6</a>
+dependency bumped to 2.10.0.1 </li>
+ <li> <a href="//skarnet.org/software/s6-dns/">s6-dns</a>
+dependency bumped to 2.3.5.0. </li>
+ <li> Handshake timeout is now functional with the <em>libtls</em>
+backend (previously it only was with the <em>bearssl</em> backend). </li>
+ <li> <a href="s6-tlsc-io.html">s6-tlsc-io</a> and
+<a href="s6-tlsd-io.html">s6-tlsd-io</a> now send the SNI server name,
+if any, in their notification message (when the <tt>-d</tt> option is
+active), in the <tt>SSL_TLS_SNI_SERVERNAME</tt> variable. </li>
+</ul>
+
<h2> in 2.4.0.0 </h2>
<ul>
diff --git a/package/info b/package/info
index e053193..539353c 100644
--- a/package/info
+++ b/package/info
@@ -1,4 +1,4 @@
package=s6-networking
-version=2.4.0.0
+version=2.4.1.0
category=net
package_macro_name=S6_NETWORKING
diff --git a/src/sbearssl/sbearssl_send_environment.c b/src/sbearssl/sbearssl_send_environment.c
index 3e1f1e1..2439351 100644
--- a/src/sbearssl/sbearssl_send_environment.c
+++ b/src/sbearssl/sbearssl_send_environment.c
@@ -25,6 +25,9 @@ int sbearssl_send_environment (br_ssl_engine_context *ctx, int fd)
|| buffer_put(&b, "", 1) < 0
|| buffer_puts(&b, "SSL_CIPHER=") < 0
|| buffer_puts(&b, suite) < 0
+ || buffer_put(&b, "", 1) < 0
+ || buffer_puts(&b, "SSL_TLS_SNI_SERVERNAME=") < 0
+ || buffer_puts(&b, br_ssl_engine_get_server_name(ctx)) < 0
|| buffer_putflush(&b, "\0", 2) < 0)
return 0 ;
return 1 ;
diff --git a/src/stls/stls_send_environment.c b/src/stls/stls_send_environment.c
index 1c13602..af0eeb6 100644
--- a/src/stls/stls_send_environment.c
+++ b/src/stls/stls_send_environment.c
@@ -11,14 +11,18 @@
int stls_send_environment (struct tls *ctx, int fd)
{
+ char const *servername = tls_conn_servername(ctx) ;
char buf[4096] ;
buffer b = BUFFER_INIT(&buffer_write, fd, buf, 4096) ;
+ if (!servername) servername = "" ;
if (buffer_puts(&b, "SSL_PROTOCOL=") < 0
|| buffer_puts(&b, tls_conn_version(ctx)) < 0
|| buffer_put(&b, "", 1) < 0
|| buffer_puts(&b, "SSL_CIPHER=") < 0
|| buffer_puts(&b, tls_conn_cipher(ctx)) < 0
- || buffer_putflush(&b, "\0", 2) < 0)
- return 0 ;
+ || buffer_put(&b, "", 1) < 0
+ || buffer_puts(&b, "SSL_TLS_SNI_SERVERNAME=") < 0
+ || buffer_puts(&b, servername) < 0
+ || buffer_putflush(&b, "\0", 2) < 0) return 0 ;
return 1 ;
}