Change -K semantics: timeout *during handshake*, not afterwards

 - the TLS tunnel itself should be transparent so it has no business
shutting down the connection no matter how long the app takes
 - there's still an undetectable situation on some kernels where
EOF doesn't get transmitted from the network, and the engine is in
the handshake, and it can't do anything but wait forever. A timeout
is useful here: dawg, your peer is never going to send any more data,
you should just give up.
 - if the situation happens after the handshake, the *app* should
have a timeout and die. The tunnel will follow suit.
 - libtls has a blocking tls_handshake() blackbox, we cannot give it
a timeout. Too bad, use bearssl.

1 files changed, 6 insertions, 4 deletions

diff --git a/doc/s6-tlsc.html b/doc/s6-tlsc.html
index c2e7521..5ff3431 100644
--- a/doc/s6-tlsc.html
+++ b/doc/s6-tlsc.html
@@ -121,10 +121,12 @@ connection without using <tt>close_notify</tt>. This is the default. </li>
  <li> <tt>-k&nbsp;<em>servername</em></tt>&nbsp;: use Server Name
 Indication, and send <em>servername</em>. The default is not to
 use SNI, which may be a security risk. </li>
- <li> <tt>-K&nbsp;<em>kimeout</em></tt>&nbsp;: close the connection
-if <em>kimeout</em> milliseconds elapse without any data being
-received from either side. The default is 0, which means
-infinite timeout (never kill the connection). </li>
+ <li> <tt>-K&nbsp;<em>kimeout</em></tt>&nbsp;: if the peer fails
+to send data for <em>kimeout</em> milliseconds during the handshake,
+close the connection. The default is 0, which means infinite timeout
+(never kill the connection). This option is ignored by the
+<tt>libtls</tt> backend, which does not have a way to interrupt
+the handshake after a timeout. </li>
  <li> <tt>-6&nbsp;<em>fdr</em></tt>&nbsp;: expect an open file
 descriptor numbered <em>fdr</em> to read network (ciphertext)
 data from. Make sure <em>prog</em> also reads its data