Change -K semantics: timeout *during handshake*, not afterwards

 - the TLS tunnel itself should be transparent so it has no business
shutting down the connection no matter how long the app takes
 - there's still an undetectable situation on some kernels where
EOF doesn't get transmitted from the network, and the engine is in
the handshake, and it can't do anything but wait forever. A timeout
is useful here: dawg, your peer is never going to send any more data,
you should just give up.
 - if the situation happens after the handshake, the *app* should
have a timeout and die. The tunnel will follow suit.
 - libtls has a blocking tls_handshake() blackbox, we cannot give it
a timeout. Too bad, use bearssl.

1 files changed, 6 insertions, 4 deletions

diff --git a/doc/s6-tlsc-io.html b/doc/s6-tlsc-io.html
index 2f02841..d4c1b7e 100644
--- a/doc/s6-tlsc-io.html
+++ b/doc/s6-tlsc-io.html
@@ -195,10 +195,12 @@ connection without using <tt>close_notify</tt>. This is the default. </li>
  <li> <tt>-k&nbsp;<em>servername</em></tt>&nbsp;: use Server Name
 Indication, and send <em>servername</em>. The default is not to
 use SNI, which may be a security risk. </li>
- <li> <tt>-K&nbsp;<em>kimeout</em></tt>&nbsp;: close the connection
-if <em>kimeout</em> milliseconds elapse without any data being
-received from either side. The default is 0, which means
-infinite timeout (never kill the connection). </li>
+ <li> <tt>-K&nbsp;<em>kimeout</em></tt>&nbsp;: if the peer fails
+to send data for <em>kimeout</em> milliseconds during the handshake,
+close the connection. The default is 0, which means infinite timeout
+(never kill the connection). This option is ignored by the
+<tt>libtls</tt> backend, which does not have a way to interrupt
+the handshake after a timeout. </li>
  <li> <tt>-d&nbsp;<em>notif</em></tt>&nbsp;: handshake notification.
 <em>notif</em> must be a file descriptor open for writing. When the
 TLS handshake has completed, some data (terminated by two null