summaryrefslogtreecommitdiff
path: root/doc
diff options
context:
space:
mode:
authorLaurent Bercot <ska-skaware@skarnet.org>2023-11-16 05:13:06 +0000
committerLaurent Bercot <ska@appnovation.com>2023-11-16 05:13:06 +0000
commit26597a785ec2dd4e9ec9fb7d9765d2ee8779ee16 (patch)
treec2c5602397e9381b1cb04472ed057edd4a00e520 /doc
parentd8ca717da164c3e76ebb56c954d0a08544955601 (diff)
downloads6-networking-26597a785ec2dd4e9ec9fb7d9765d2ee8779ee16.tar.xz
Add -J and -j to the TLS tools to check for peer close_notify.
Also, and more importantly, significantly rewrite stls_run() for better full-duplex support. This implementation isn't fully tested yet. Signed-off-by: Laurent Bercot <ska@appnovation.com>
Diffstat (limited to 'doc')
-rw-r--r--doc/s6-tlsc-io.html6
-rw-r--r--doc/s6-tlsc.html5
-rw-r--r--doc/s6-tlsclient.html1
-rw-r--r--doc/s6-tlsd-io.html6
-rw-r--r--doc/s6-tlsd.html5
-rw-r--r--doc/s6-tlsserver.html1
-rw-r--r--doc/s6-ucspitlsc.html5
-rw-r--r--doc/s6-ucspitlsd.html5
8 files changed, 28 insertions, 6 deletions
diff --git a/doc/s6-tlsc-io.html b/doc/s6-tlsc-io.html
index f4a81a2..17a4e26 100644
--- a/doc/s6-tlsc-io.html
+++ b/doc/s6-tlsc-io.html
@@ -38,7 +38,7 @@ the options given when configuring s6-networking.
<h2> Interface </h2>
<pre>
- s6-tlsc-io [ -S | -s ] [ -Y | -y ] [ -v <em>verbosity</em> ] [ -K kimeout ] [ -k <em>servername</em> ] [ -d <em>notif</em> ] [ -- ] <em>fdr</em> <em>fdw</em>
+ s6-tlsc-io [ -S | -s ] [ -J | -j ] [ -Y | -y ] [ -v <em>verbosity</em> ] [ -K kimeout ] [ -k <em>servername</em> ] [ -d <em>notif</em> ] [ -- ] <em>fdr</em> <em>fdw</em>
</pre>
<ul>
@@ -190,6 +190,10 @@ no effect. </li>
and break the connection when receiving a local EOF. </li>
<li> <tt>-s</tt>&nbsp;: transmit EOF by half-closing the TCP
connection without using <tt>close_notify</tt>. This is the default. </li>
+ <li> <tt>-J</tt>&nbsp;: treat EOF from the peer without a prior close_notify
+as an error: print a fatal error message and exit 98. </li>
+ <li> <tt>-j</tt>&nbsp;: treat EOF from the peer without a prior close_notify
+as a normal exit condition. This is the default. </li>
<li> <tt>-Y</tt>&nbsp;: Do not send a client certificate. This is the default. </li>
<li> <tt>-y</tt>&nbsp;: Send a client certificate. </li>
<li> <tt>-k&nbsp;<em>servername</em></tt>&nbsp;: use Server Name
diff --git a/doc/s6-tlsc.html b/doc/s6-tlsc.html
index 1d11c5b..aff6828 100644
--- a/doc/s6-tlsc.html
+++ b/doc/s6-tlsc.html
@@ -29,7 +29,7 @@ TLS/SSL.
<h2> Interface </h2>
<pre>
- s6-tlsc [ -S | -s ] [ -Y | -y ] [ -Z | -z ] [ -v <em>verbosity</em> ] [ -K kimeout ] [ -k <em>servername</em> ] [ -6 <em>rfd</em> ] [ -7 <em>wfd</em> ] [ -- ] <em>prog...</em>
+ s6-tlsc [ -S | -s ] [ -J | -j ] [ -Y | -y ] [ -Z | -z ] [ -v <em>verbosity</em> ] [ -K kimeout ] [ -k <em>servername</em> ] [ -6 <em>rfd</em> ] [ -7 <em>wfd</em> ] [ -- ] <em>prog...</em>
</pre>
<ul>
@@ -126,6 +126,9 @@ before execing <em>prog...</em>. This is the default. </li>
and break the connection when <em>prog</em> sends EOF. </li>
<li> <tt>-s</tt>&nbsp;: transmit EOF by half-closing the TCP
connection without using <tt>close_notify</tt>. This is the default. </li>
+ <li> <tt>-J</tt>&nbsp;: make <a href="s6-tlsc-io.html">s6-tlsc-io</a>
+exit with a nonzero code if the peer sends EOF without a close_notify first </li>
+ <li> <tt>-j</tt>&nbsp;: treat EOF from the peer as a normal exit condition </li>
<li> <tt>-Y</tt>&nbsp;: Do not send a client certificate. This is the default. </li>
<li> <tt>-y</tt>&nbsp;: Send a client certificate. </li>
<li> <tt>-k&nbsp;<em>servername</em></tt>&nbsp;: use Server Name
diff --git a/doc/s6-tlsclient.html b/doc/s6-tlsclient.html
index 287c02c..09276d4 100644
--- a/doc/s6-tlsclient.html
+++ b/doc/s6-tlsclient.html
@@ -144,6 +144,7 @@ generally work: the defaults are sensible.
<li> <tt>-Z</tt>, <tt>-z</tt>&nbsp;: keep or remove the <a href="s6-tlsc-io.html">s6-tlsc-io</a>-specific
variables from the application's environment </li>
<li> <tt>-S</tt>, <tt>-s</tt>&nbsp;: use close_notify or EOF to signal the end of a TLS connection </li>
+ <li> <tt>-J</tt>, <tt>-j</tt>&nbsp;: exit nonzero with an error message when the peer fails to close_notify, or ignore it </li>
<li> <tt>-Y</tt>, <tt>-y</tt>&nbsp;: don't send, or send, a client certificate </li>
<li> <tt>-k <em>servername</em></tt>&nbsp;: use SNI and provide a server name </li>
<li> <tt>-K <em>kimeout</em></tt>&nbsp;: set a timeout for the TLS handshake </li>
diff --git a/doc/s6-tlsd-io.html b/doc/s6-tlsd-io.html
index 0f3b922..55e293f 100644
--- a/doc/s6-tlsd-io.html
+++ b/doc/s6-tlsd-io.html
@@ -38,7 +38,7 @@ the options given when configuring s6-networking.
<h2> Interface </h2>
<pre>
- s6-tlsd-io [ -S | -s ] [ -Y | -y ] [ -v <em>verbosity</em> ] [ -K <em>kimeout</em> ] [ -k <em>snilevel</em> ] [ -d <em>notif</em> ] [ -- ] <em>fdr</em> <em>fdw</em>
+ s6-tlsd-io [ -S | -s ] [ -J | -j ] [ -Y | -y ] [ -v <em>verbosity</em> ] [ -K <em>kimeout</em> ] [ -k <em>snilevel</em> ] [ -d <em>notif</em> ] [ -- ] <em>fdr</em> <em>fdw</em>
</pre>
<ul>
@@ -210,6 +210,10 @@ no effect. </li>
and break the connection when receiving a local EOF. </li>
<li> <tt>-s</tt>&nbsp;: transmit EOF by half-closing the TCP
connection without using <tt>close_notify</tt>. This is the default. </li>
+ <li> <tt>-J</tt>&nbsp;: treat EOF from the peer without a prior close_notify
+as an error: print a fatal error message and exit 98. </li>
+ <li> <tt>-j</tt>&nbsp;: treat EOF from the peer without a prior close_notify
+as a normal exit condition. This is the default. </li>
<li> <tt>-Y</tt>&nbsp;: Request a client certificate.
The certificate is optional: if the client gives none, the connection
proceeds. </li>
diff --git a/doc/s6-tlsd.html b/doc/s6-tlsd.html
index 883777b..73a9f9b 100644
--- a/doc/s6-tlsd.html
+++ b/doc/s6-tlsd.html
@@ -38,7 +38,7 @@ the options given when configuring <tt>s6-networking</tt>.
<h2> Interface </h2>
<pre>
- s6-tlsd [ -S | -s ] [ -Y | -y ] [ -Z | -z ] [ -v <em>verbosity</em> ] [ -K <em>kimeout</em> ] [ -k <em>snilevel</em> ] [ -- ] <em>prog...</em>
+ s6-tlsd [ -S | -s ] [ -J | -j ] [ -Y | -y ] [ -Z | -z ] [ -v <em>verbosity</em> ] [ -K <em>kimeout</em> ] [ -k <em>snilevel</em> ] [ -- ] <em>prog...</em>
</pre>
<ul>
@@ -139,6 +139,9 @@ before execing <em>prog...</em>. This is the default. </li>
and break the connection when <em>prog</em> sends EOF. </li>
<li> <tt>-s</tt>&nbsp;: transmit EOF by half-closing the TCP
connection without using <tt>close_notify</tt>. This is the default. </li>
+ <li> <tt>-J</tt>&nbsp;: make <a href="s6-tlsd-io.html">s6-tlsd-io</a>
+exit with a nonzero code if the peer sends EOF without a close_notify first </li>
+ <li> <tt>-j</tt>&nbsp;: treat EOF from the peer as a normal exit condition </li>
<li> <tt>-Y</tt>&nbsp;: Request an optional client certificate. </li>
<li> <tt>-y</tt>&nbsp;: Request a mandatory client certificate.
The default, with neither the <tt>-Y</tt> nor the <tt>-y</tt> option,
diff --git a/doc/s6-tlsserver.html b/doc/s6-tlsserver.html
index d1ca3e2..8713235 100644
--- a/doc/s6-tlsserver.html
+++ b/doc/s6-tlsserver.html
@@ -177,6 +177,7 @@ certificates, you probably still want TCP access rules.
<li> <tt>-Z</tt>, <tt>-z</tt>&nbsp;: keep or remove the <a href="s6-tlsd-io.html">s6-tlsd-io</a>-specific
variables from the application's environment </li>
<li> <tt>-S</tt>, <tt>-s</tt>&nbsp;: use close_notify or EOF to signal the end of a TLS connection </li>
+ <li> <tt>-J</tt>, <tt>-j</tt>&nbsp;: exit nonzero with an error message when the peer fails to close_notify, or ignore it </li>
<li> <tt>-Y</tt>, <tt>-y</tt>&nbsp;: request an optional or a mandatory client certificate </li>
<li> <tt>-K <em>kimeout</em></tt>&nbsp;: set a timeout for the TLS handshake </li>
<li> <tt>-k <em>snilevel</em></tt>&nbsp;: support SNI-based certificate chains </li>
diff --git a/doc/s6-ucspitlsc.html b/doc/s6-ucspitlsc.html
index e096e24..52af6db 100644
--- a/doc/s6-ucspitlsc.html
+++ b/doc/s6-ucspitlsc.html
@@ -36,7 +36,7 @@ TLS stack in the client itself.
<h2> Interface </h2>
<pre>
- s6-ucspitlsc [ -S | -s ] [ -Y | -y ] [ -Z | -z ] [ -v <em>verbosity</em> ] [ -K kimeout ] [ -k <em>servername</em> ] [ -6 <em>rfd</em> ] [ -7 <em>wfd</em> ] [ -- ] <em>prog...</em>
+ s6-ucspitlsc [ -S | -s ] [ -J | -j ] [ -Y | -y ] [ -Z | -z ] [ -v <em>verbosity</em> ] [ -K kimeout ] [ -k <em>servername</em> ] [ -6 <em>rfd</em> ] [ -7 <em>wfd</em> ] [ -- ] <em>prog...</em>
</pre>
<ul>
@@ -142,6 +142,9 @@ before execing <em>prog...</em>. This is the default. </li>
and break the connection when <em>prog</em> sends EOF. </li>
<li> <tt>-s</tt>&nbsp;: transmit EOF by half-closing the TCP
connection without using <tt>close_notify</tt>. This is the default. </li>
+ <li> <tt>-J</tt>&nbsp;: make <a href="s6-tlsc-io.html">s6-tlsc-io</a>
+exit with a nonzero code if the peer sends EOF without a close_notify first </li>
+ <li> <tt>-j</tt>&nbsp;: treat EOF from the peer as a normal exit condition </li>
<li> <tt>-Y</tt>&nbsp;: Do not send a client certificate. This is the default. </li>
<li> <tt>-y</tt>&nbsp;: Send a client certificate. </li>
<li> <tt>-k&nbsp;<em>servername</em></tt>&nbsp;: use Server Name
diff --git a/doc/s6-ucspitlsd.html b/doc/s6-ucspitlsd.html
index 8488942..314cc39 100644
--- a/doc/s6-ucspitlsd.html
+++ b/doc/s6-ucspitlsd.html
@@ -36,7 +36,7 @@ TLS stack in the server itself.
<h2> Interface </h2>
<pre>
- s6-ucspitlsd [ -S | -s ] [ -Y | -y ] [ -Z | -z ] [ -v <em>verbosity</em> ] [ -K kimeout ] [ -k snilevel ] [ -- ] <em>prog...</em>
+ s6-ucspitlsd [ -S | -s ] [ -J | -j ] [ -Y | -y ] [ -Z | -z ] [ -v <em>verbosity</em> ] [ -K kimeout ] [ -k snilevel ] [ -- ] <em>prog...</em>
</pre>
<ul>
@@ -146,6 +146,9 @@ before execing <em>prog...</em>. This is the default. </li>
and break the connection when <em>prog</em> sends EOF. </li>
<li> <tt>-s</tt>&nbsp;: transmit EOF by half-closing the TCP
connection without using <tt>close_notify</tt>. This is the default. </li>
+ <li> <tt>-J</tt>&nbsp;: make <a href="s6-tlsd-io.html">s6-tlsd-io</a>
+exit with a nonzero code if the peer sends EOF without a close_notify first </li>
+ <li> <tt>-j</tt>&nbsp;: treat EOF from the peer as a normal exit condition </li>
<li> <tt>-Y</tt>&nbsp;: Request an optional client certificate. </li>
<li> <tt>-y</tt>&nbsp;: Request a mandatory client certificate.
The default, with neither the <tt>-Y</tt> nor the <tt>-y</tt> option,