diff options
author | Laurent Bercot <ska-skaware@skarnet.org> | 2021-05-28 01:05:56 +0000 |
---|---|---|
committer | Laurent Bercot <ska-skaware@skarnet.org> | 2021-05-28 01:05:56 +0000 |
commit | 02afa553cc33400ead38ac85f8f7f2f3fe79f49d (patch) | |
tree | d0d22ad521d9d3b8e28af128bae0ec796b35ff74 /doc/s6-tlsd-io.html | |
parent | d5ce828c97505e429e0cc87b5e87da4f7d291ad4 (diff) | |
download | s6-networking-02afa553cc33400ead38ac85f8f7f2f3fe79f49d.tar.xz |
Server-side SNI, libtls version
Implementation for bearssl coming soon.
Diffstat (limited to 'doc/s6-tlsd-io.html')
-rw-r--r-- | doc/s6-tlsd-io.html | 28 |
1 files changed, 26 insertions, 2 deletions
diff --git a/doc/s6-tlsd-io.html b/doc/s6-tlsd-io.html index 29f75c3..b2a4a1e 100644 --- a/doc/s6-tlsd-io.html +++ b/doc/s6-tlsd-io.html @@ -38,7 +38,7 @@ the options given when configuring s6-networking. <h2> Interface </h2> <pre> - s6-tlsd-io [ -S | -s ] [ -Y | -y ] [ -v <em>verbosity</em> ] [ -K kimeout ] [ -d notif ] [ -- ] <em>fdr</em> <em>fdw</em> + s6-tlsd-io [ -S | -s ] [ -Y | -y ] [ -v <em>verbosity</em> ] [ -K <em>kimeout</em> ] [ -k <em>snilevel</em> ] [ -d <em>notif</em> ] [ -- ] <em>fdr</em> <em>fdw</em> </pre> <ul> @@ -107,7 +107,7 @@ environment variables set: <li> <tt>KEYFILE</tt>: a path to the file containing the server's private key, DER- or PEM-encoded. </li> <li> <tt>CERTFILE</tt>: a path to the file -containing the server's certificate, DER- or PEM-encoded. +containing the server's certificate chain, DER- or PEM-encoded. If PEM-encoded, the file can actually contain a chain of certificates. </li> </ul> @@ -118,6 +118,17 @@ will refuse to run. </p> <p> + Alternatively, if <em>snilevel</em> is nonzero, the private +key for the server named <em>x</em> should be held in a file +whose name is contained in the <tt>KEYFILE:<em>x</em></tt> +environment variable, and the corresponding certificate chain +file should be named in the <tt>CERTFILE:<em>x</em></tt> +environment variable. If <em>snilevel</em> is 2 or more, the +<tt>KEYFILE</tt> and <tt>CERTFILE</tt> variables will be +entirely ignored. +</p> + +<p> If you are using client certificates, <tt>s6-tlsd-io</tt> also requires either one of the following variables to be set: </p> @@ -196,6 +207,19 @@ is not to require a client certificate at all. </li> to send data for <em>kimeout</em> milliseconds during the handshake, close the connection. The default is 0, which means infinite timeout (never kill the connection). </li> + <li> <tt>-k <em>snilevel</em></tt> : support alternative +certificate chains for SNI. If <em>snilevel</em> is nonzero, private +key file names are read from every environment variable of the form +<tt>KEYFILE:<em>x</em></tt>, where <em>x</em> is a server name that +the client may require, and a corresponding certificate chain for the name +<em>x</em> should exist in the file named after the contents of the +<tt>CERTFILE:<em>x</em></tt> environment variable. If <em>snilevel</em> +is 2 or more, <em>only</em> those files are read, and the generic +<tt>KEYFILE</tt> and <tt>CERTFILE</tt> variables are ignored. +If <em>snilevel</em> is 0, or if the option is not given, which is the +default, <tt>KEYFILE</tt> and <tt>CERTFILE</tt> are the only private +key / certificate chain pair that are loaded, no other environment +variable is read for keypairs. </li> <li> <tt>-d <em>notif</em></tt> : handshake notification. <em>notif</em> must be a file descriptor open for writing. When the TLS handshake has completed, some data (terminated by two null |