Types fix, first pass

 XXX marks what must change when skalibs changes.
 Also started writing functions for client certificate support
in sbearssl, but it's not working yet (need more high-level
support from BearSSL before it can work)

4 files changed, 24 insertions, 22 deletions

diff --git a/doc/index.html b/doc/index.html
index e19457e..48fed00 100644
--- a/doc/index.html
+++ b/doc/index.html
@@ -44,22 +44,22 @@ compiled with IPv6 support, s6-networking is IPv6-ready.
  <li> A POSIX-compliant system with a standard C development environment </li>
  <li> GNU make, version 3.81 or later </li>
  <li> <a href="http://skarnet.org/software/skalibs/">skalibs</a> version
-2.4.0.2 or later. It's a build-time requirement. It's also a run-time
+2.5.0.0 or later. It's a build-time requirement. It's also a run-time
 requirement if you link against the shared version of the skalibs
 library. </li>
  <li> <a href="http://skarnet.org/software/execline/">execline</a> version
-2.2.0.0 or later. It's a build-time and run-time requirement. </li>
+2.3.0.0 or later. It's a build-time and run-time requirement. </li>
  <li> <a href="http://skarnet.org/software/s6/">s6</a> version
-2.4.0.0 or later. It's a build-time and run-time requirement. </li>
+2.5.0.0 or later. It's a build-time and run-time requirement. </li>
  <li> <a href="http://skarnet.org/software/s6-dns/">s6-dns</a> version
-2.1.0.0 or later. It's a build-time requirement. It's also a run-time
+2.2.0.0 or later. It's a build-time requirement. It's also a run-time
 requirement if you link against the shared version of the s6-dns
 libraries. </li>
  <li> If you want to build the secure communication tools:
   <ul>
    <li> Either <a href="http://libressl.org/">LibreSSL</a> version 2.4.4
 or later </li>
-   <li> Or <a href="http://bearssl.org/">BearSSL</a> version 0.1
+   <li> Or <a href="http://bearssl.org/">BearSSL</a> version 0.2
 or later. <strong>This is experimental.</strong> </li>
   </ul> The chosen library is a build-time requirement, and also a
 run-time requirement if you link against its shared version. </li>
@@ -76,7 +76,7 @@ run-time requirement if you link against its shared version. </li>
 
 <ul>
  <li> The current released version of s6-networking is
-<a href="s6-networking-2.2.1.0.tar.gz">2.2.1.0</a>. </li>
+<a href="s6-networking-2.3.0.0.tar.gz">2.3.0.0</a>. </li>
  <li> Alternatively, you can checkout a copy of the
 <a href="http://git.skarnet.org/cgi-bin/cgit.cgi/s6-networking/">s6-networking
 git repository</a>:
diff --git a/doc/s6-tlsc.html b/doc/s6-tlsc.html
index d40820c..39f4680 100644
--- a/doc/s6-tlsc.html
+++ b/doc/s6-tlsc.html
@@ -126,10 +126,7 @@ two more environment variables: <tt>KEYFILE</tt> contains
 the path to a file containing the private key, DER- or
 PEM-encoded; and <tt>CERTFILE</tt> contains the path to
 a file containing the client certificate, DER- or
-PEM-encoded. Please note that for now, support for client
-certificates is experimental, and only works
-with the <a href="https://www.libressl.org/">LibreSSL</a>
-backend (BearSSL does not support client certificates yet).
+PEM-encoded.
 </p>
 
 <p>
@@ -229,8 +226,7 @@ and break the connection when <em>prog</em> sends EOF. </li>
  <li> <tt>-s</tt>&nbsp;: transmit EOF by half-closing the TCP
 connection without using <tt>close_notify</tt>. This is the default. </li>
  <li> <tt>-Y</tt>&nbsp;: Do not send a client certificate. This is the default. </li>
- <li> <tt>-y</tt>&nbsp;: Send a client certificate. This is experimental and
-for now unsupported by BearSSL. </li>
+ <li> <tt>-y</tt>&nbsp;: Send a client certificate. </li>
  <li> <tt>-k&nbsp;<em>servername</em></tt>&nbsp: use Server Name
 Indication, and send <em>servername</em>. The default is not to
 use SNI, which may be a security risk. </li>
diff --git a/doc/s6-tlsd.html b/doc/s6-tlsd.html
index 16f13ec..cda5038 100644
--- a/doc/s6-tlsd.html
+++ b/doc/s6-tlsd.html
@@ -147,13 +147,6 @@ of trust anchors, PEM-encoded. </li>
 </ul>
 
 <p>
-Please note that for now, support for client
-certificates is experimental, and only works
-with the <a href="https://www.libressl.org/">LibreSSL</a>
-backend (BearSSL does not support client certificates yet).
-</p>
-
-<p>
  If <tt>s6-tlsd</tt> is run as root, it can also read two
 more environment variables, <tt>TLS_UID</tt> and <tt>TLS_GID</tt>,
 which contain a numeric uid and a numeric gid; <tt>s6-tlsd</tt>
@@ -251,9 +244,10 @@ This is the default. </li>
 and break the connection when <em>prog</em> sends EOF. </li>
  <li> <tt>-s</tt>&nbsp;: transmit EOF by half-closing the TCP
 connection without using <tt>close_notify</tt>. This is the default. </li>
- <li> <tt>-Y</tt>&nbsp;: Do not require a client certificate. This is the default. </li>
- <li> <tt>-y</tt>&nbsp;: Require a client certificate. This is experimental and
-for now unsupported by BearSSL. </li>
+ <li> <tt>-Y</tt>&nbsp;: Require an optional client certificate. </li>
+ <li> <tt>-y</tt>&nbsp;: Require a mandatory client certificate.
+The default, with neither the <tt>-Y</tt> nor the <tt>-y</tt> option,
+is not to require a client certificate at all. </li>
  <li> <tt>-K&nbsp;<em>kimeout</em></tt>&nbsp;: close the connection
 if <em>kimeout</em> milliseconds elapse without any data being
 received from either side. The default is 0, which means
diff --git a/doc/upgrade.html b/doc/upgrade.html
index dfd90f0..1cbd9b7 100644
--- a/doc/upgrade.html
+++ b/doc/upgrade.html
@@ -18,6 +18,18 @@
 
 <h1> What has changed in s6-networking </h1>
 
+<h2> in 2.3.0.0 </h2>
+
+<ul>
+ <li> BearSSL dependency bumped to 0.2. </li>
+ <li> skalibs dependency bumped to 2.5.0.0. </li>
+ <li> execline dependency bumped to 2.3.0.0. </li>
+ <li> s6 dependency bumped to 2.5.0.0. </li>
+ <li> s6-dns dependency bumped to 2.2.0.0. </li>
+ <li> The meaning of the <tt>-Y</tt> option in <a href="s6-tlsd.html">s6-tlsd</a>
+has changed. Now it means "ask for an optional client certificate". </li>
+</ul>
+
 <h2> in 2.2.1.0 </h2>
 
 <ul>