diff options
author | Laurent Bercot <ska-skaware@skarnet.org> | 2023-11-16 05:13:06 +0000 |
---|---|---|
committer | Laurent Bercot <ska@appnovation.com> | 2023-11-16 05:13:06 +0000 |
commit | 26597a785ec2dd4e9ec9fb7d9765d2ee8779ee16 (patch) | |
tree | c2c5602397e9381b1cb04472ed057edd4a00e520 /doc | |
parent | d8ca717da164c3e76ebb56c954d0a08544955601 (diff) | |
download | s6-networking-26597a785ec2dd4e9ec9fb7d9765d2ee8779ee16.tar.xz |
Add -J and -j to the TLS tools to check for peer close_notify.
Also, and more importantly, significantly rewrite stls_run()
for better full-duplex support. This implementation isn't fully
tested yet.
Signed-off-by: Laurent Bercot <ska@appnovation.com>
Diffstat (limited to 'doc')
-rw-r--r-- | doc/s6-tlsc-io.html | 6 | ||||
-rw-r--r-- | doc/s6-tlsc.html | 5 | ||||
-rw-r--r-- | doc/s6-tlsclient.html | 1 | ||||
-rw-r--r-- | doc/s6-tlsd-io.html | 6 | ||||
-rw-r--r-- | doc/s6-tlsd.html | 5 | ||||
-rw-r--r-- | doc/s6-tlsserver.html | 1 | ||||
-rw-r--r-- | doc/s6-ucspitlsc.html | 5 | ||||
-rw-r--r-- | doc/s6-ucspitlsd.html | 5 |
8 files changed, 28 insertions, 6 deletions
diff --git a/doc/s6-tlsc-io.html b/doc/s6-tlsc-io.html index f4a81a2..17a4e26 100644 --- a/doc/s6-tlsc-io.html +++ b/doc/s6-tlsc-io.html @@ -38,7 +38,7 @@ the options given when configuring s6-networking. <h2> Interface </h2> <pre> - s6-tlsc-io [ -S | -s ] [ -Y | -y ] [ -v <em>verbosity</em> ] [ -K kimeout ] [ -k <em>servername</em> ] [ -d <em>notif</em> ] [ -- ] <em>fdr</em> <em>fdw</em> + s6-tlsc-io [ -S | -s ] [ -J | -j ] [ -Y | -y ] [ -v <em>verbosity</em> ] [ -K kimeout ] [ -k <em>servername</em> ] [ -d <em>notif</em> ] [ -- ] <em>fdr</em> <em>fdw</em> </pre> <ul> @@ -190,6 +190,10 @@ no effect. </li> and break the connection when receiving a local EOF. </li> <li> <tt>-s</tt> : transmit EOF by half-closing the TCP connection without using <tt>close_notify</tt>. This is the default. </li> + <li> <tt>-J</tt> : treat EOF from the peer without a prior close_notify +as an error: print a fatal error message and exit 98. </li> + <li> <tt>-j</tt> : treat EOF from the peer without a prior close_notify +as a normal exit condition. This is the default. </li> <li> <tt>-Y</tt> : Do not send a client certificate. This is the default. </li> <li> <tt>-y</tt> : Send a client certificate. </li> <li> <tt>-k <em>servername</em></tt> : use Server Name diff --git a/doc/s6-tlsc.html b/doc/s6-tlsc.html index 1d11c5b..aff6828 100644 --- a/doc/s6-tlsc.html +++ b/doc/s6-tlsc.html @@ -29,7 +29,7 @@ TLS/SSL. <h2> Interface </h2> <pre> - s6-tlsc [ -S | -s ] [ -Y | -y ] [ -Z | -z ] [ -v <em>verbosity</em> ] [ -K kimeout ] [ -k <em>servername</em> ] [ -6 <em>rfd</em> ] [ -7 <em>wfd</em> ] [ -- ] <em>prog...</em> + s6-tlsc [ -S | -s ] [ -J | -j ] [ -Y | -y ] [ -Z | -z ] [ -v <em>verbosity</em> ] [ -K kimeout ] [ -k <em>servername</em> ] [ -6 <em>rfd</em> ] [ -7 <em>wfd</em> ] [ -- ] <em>prog...</em> </pre> <ul> @@ -126,6 +126,9 @@ before execing <em>prog...</em>. This is the default. </li> and break the connection when <em>prog</em> sends EOF. </li> <li> <tt>-s</tt> : transmit EOF by half-closing the TCP connection without using <tt>close_notify</tt>. This is the default. </li> + <li> <tt>-J</tt> : make <a href="s6-tlsc-io.html">s6-tlsc-io</a> +exit with a nonzero code if the peer sends EOF without a close_notify first </li> + <li> <tt>-j</tt> : treat EOF from the peer as a normal exit condition </li> <li> <tt>-Y</tt> : Do not send a client certificate. This is the default. </li> <li> <tt>-y</tt> : Send a client certificate. </li> <li> <tt>-k <em>servername</em></tt> : use Server Name diff --git a/doc/s6-tlsclient.html b/doc/s6-tlsclient.html index 287c02c..09276d4 100644 --- a/doc/s6-tlsclient.html +++ b/doc/s6-tlsclient.html @@ -144,6 +144,7 @@ generally work: the defaults are sensible. <li> <tt>-Z</tt>, <tt>-z</tt> : keep or remove the <a href="s6-tlsc-io.html">s6-tlsc-io</a>-specific variables from the application's environment </li> <li> <tt>-S</tt>, <tt>-s</tt> : use close_notify or EOF to signal the end of a TLS connection </li> + <li> <tt>-J</tt>, <tt>-j</tt> : exit nonzero with an error message when the peer fails to close_notify, or ignore it </li> <li> <tt>-Y</tt>, <tt>-y</tt> : don't send, or send, a client certificate </li> <li> <tt>-k <em>servername</em></tt> : use SNI and provide a server name </li> <li> <tt>-K <em>kimeout</em></tt> : set a timeout for the TLS handshake </li> diff --git a/doc/s6-tlsd-io.html b/doc/s6-tlsd-io.html index 0f3b922..55e293f 100644 --- a/doc/s6-tlsd-io.html +++ b/doc/s6-tlsd-io.html @@ -38,7 +38,7 @@ the options given when configuring s6-networking. <h2> Interface </h2> <pre> - s6-tlsd-io [ -S | -s ] [ -Y | -y ] [ -v <em>verbosity</em> ] [ -K <em>kimeout</em> ] [ -k <em>snilevel</em> ] [ -d <em>notif</em> ] [ -- ] <em>fdr</em> <em>fdw</em> + s6-tlsd-io [ -S | -s ] [ -J | -j ] [ -Y | -y ] [ -v <em>verbosity</em> ] [ -K <em>kimeout</em> ] [ -k <em>snilevel</em> ] [ -d <em>notif</em> ] [ -- ] <em>fdr</em> <em>fdw</em> </pre> <ul> @@ -210,6 +210,10 @@ no effect. </li> and break the connection when receiving a local EOF. </li> <li> <tt>-s</tt> : transmit EOF by half-closing the TCP connection without using <tt>close_notify</tt>. This is the default. </li> + <li> <tt>-J</tt> : treat EOF from the peer without a prior close_notify +as an error: print a fatal error message and exit 98. </li> + <li> <tt>-j</tt> : treat EOF from the peer without a prior close_notify +as a normal exit condition. This is the default. </li> <li> <tt>-Y</tt> : Request a client certificate. The certificate is optional: if the client gives none, the connection proceeds. </li> diff --git a/doc/s6-tlsd.html b/doc/s6-tlsd.html index 883777b..73a9f9b 100644 --- a/doc/s6-tlsd.html +++ b/doc/s6-tlsd.html @@ -38,7 +38,7 @@ the options given when configuring <tt>s6-networking</tt>. <h2> Interface </h2> <pre> - s6-tlsd [ -S | -s ] [ -Y | -y ] [ -Z | -z ] [ -v <em>verbosity</em> ] [ -K <em>kimeout</em> ] [ -k <em>snilevel</em> ] [ -- ] <em>prog...</em> + s6-tlsd [ -S | -s ] [ -J | -j ] [ -Y | -y ] [ -Z | -z ] [ -v <em>verbosity</em> ] [ -K <em>kimeout</em> ] [ -k <em>snilevel</em> ] [ -- ] <em>prog...</em> </pre> <ul> @@ -139,6 +139,9 @@ before execing <em>prog...</em>. This is the default. </li> and break the connection when <em>prog</em> sends EOF. </li> <li> <tt>-s</tt> : transmit EOF by half-closing the TCP connection without using <tt>close_notify</tt>. This is the default. </li> + <li> <tt>-J</tt> : make <a href="s6-tlsd-io.html">s6-tlsd-io</a> +exit with a nonzero code if the peer sends EOF without a close_notify first </li> + <li> <tt>-j</tt> : treat EOF from the peer as a normal exit condition </li> <li> <tt>-Y</tt> : Request an optional client certificate. </li> <li> <tt>-y</tt> : Request a mandatory client certificate. The default, with neither the <tt>-Y</tt> nor the <tt>-y</tt> option, diff --git a/doc/s6-tlsserver.html b/doc/s6-tlsserver.html index d1ca3e2..8713235 100644 --- a/doc/s6-tlsserver.html +++ b/doc/s6-tlsserver.html @@ -177,6 +177,7 @@ certificates, you probably still want TCP access rules. <li> <tt>-Z</tt>, <tt>-z</tt> : keep or remove the <a href="s6-tlsd-io.html">s6-tlsd-io</a>-specific variables from the application's environment </li> <li> <tt>-S</tt>, <tt>-s</tt> : use close_notify or EOF to signal the end of a TLS connection </li> + <li> <tt>-J</tt>, <tt>-j</tt> : exit nonzero with an error message when the peer fails to close_notify, or ignore it </li> <li> <tt>-Y</tt>, <tt>-y</tt> : request an optional or a mandatory client certificate </li> <li> <tt>-K <em>kimeout</em></tt> : set a timeout for the TLS handshake </li> <li> <tt>-k <em>snilevel</em></tt> : support SNI-based certificate chains </li> diff --git a/doc/s6-ucspitlsc.html b/doc/s6-ucspitlsc.html index e096e24..52af6db 100644 --- a/doc/s6-ucspitlsc.html +++ b/doc/s6-ucspitlsc.html @@ -36,7 +36,7 @@ TLS stack in the client itself. <h2> Interface </h2> <pre> - s6-ucspitlsc [ -S | -s ] [ -Y | -y ] [ -Z | -z ] [ -v <em>verbosity</em> ] [ -K kimeout ] [ -k <em>servername</em> ] [ -6 <em>rfd</em> ] [ -7 <em>wfd</em> ] [ -- ] <em>prog...</em> + s6-ucspitlsc [ -S | -s ] [ -J | -j ] [ -Y | -y ] [ -Z | -z ] [ -v <em>verbosity</em> ] [ -K kimeout ] [ -k <em>servername</em> ] [ -6 <em>rfd</em> ] [ -7 <em>wfd</em> ] [ -- ] <em>prog...</em> </pre> <ul> @@ -142,6 +142,9 @@ before execing <em>prog...</em>. This is the default. </li> and break the connection when <em>prog</em> sends EOF. </li> <li> <tt>-s</tt> : transmit EOF by half-closing the TCP connection without using <tt>close_notify</tt>. This is the default. </li> + <li> <tt>-J</tt> : make <a href="s6-tlsc-io.html">s6-tlsc-io</a> +exit with a nonzero code if the peer sends EOF without a close_notify first </li> + <li> <tt>-j</tt> : treat EOF from the peer as a normal exit condition </li> <li> <tt>-Y</tt> : Do not send a client certificate. This is the default. </li> <li> <tt>-y</tt> : Send a client certificate. </li> <li> <tt>-k <em>servername</em></tt> : use Server Name diff --git a/doc/s6-ucspitlsd.html b/doc/s6-ucspitlsd.html index 8488942..314cc39 100644 --- a/doc/s6-ucspitlsd.html +++ b/doc/s6-ucspitlsd.html @@ -36,7 +36,7 @@ TLS stack in the server itself. <h2> Interface </h2> <pre> - s6-ucspitlsd [ -S | -s ] [ -Y | -y ] [ -Z | -z ] [ -v <em>verbosity</em> ] [ -K kimeout ] [ -k snilevel ] [ -- ] <em>prog...</em> + s6-ucspitlsd [ -S | -s ] [ -J | -j ] [ -Y | -y ] [ -Z | -z ] [ -v <em>verbosity</em> ] [ -K kimeout ] [ -k snilevel ] [ -- ] <em>prog...</em> </pre> <ul> @@ -146,6 +146,9 @@ before execing <em>prog...</em>. This is the default. </li> and break the connection when <em>prog</em> sends EOF. </li> <li> <tt>-s</tt> : transmit EOF by half-closing the TCP connection without using <tt>close_notify</tt>. This is the default. </li> + <li> <tt>-J</tt> : make <a href="s6-tlsd-io.html">s6-tlsd-io</a> +exit with a nonzero code if the peer sends EOF without a close_notify first </li> + <li> <tt>-j</tt> : treat EOF from the peer as a normal exit condition </li> <li> <tt>-Y</tt> : Request an optional client certificate. </li> <li> <tt>-y</tt> : Request a mandatory client certificate. The default, with neither the <tt>-Y</tt> nor the <tt>-y</tt> option, |