Server-side SNI, libtls version

 Implementation for bearssl coming soon.

5 files changed, 85 insertions, 10 deletions

diff --git a/doc/s6-tlsc.html b/doc/s6-tlsc.html
index b83ae57..95cc44f 100644
--- a/doc/s6-tlsc.html
+++ b/doc/s6-tlsc.html
@@ -98,6 +98,13 @@ used. </li>
  <li> <tt>SSL_TLS_SNI_SERVERNAME</tt> contains <em>servername</em>,
 if the <tt>-k</tt> option has been given; otherwise it is removed
 from the environment. </li>
+ <li> <tt>SSL_PEER_CERT_HASH</tt> contains the hash of the peer's
+End Entity certificate, prefixed by the name of the hash and a colon
+(typically <tt>SHA256:</tt>). </li>
+ <li> <tt>SSL_PEER_CERT_SUBJECT</tt> contains the decoded subjectDN
+of the peer's End Entity certificate, i.e. identifying information.
+What is traditionally called the "name" of the certificate is the
+CN field in that data. </li>
  <li> More similar environment variables containing information
 about the connection may be added in the future. </li>
 </ul>
diff --git a/doc/s6-tlsd-io.html b/doc/s6-tlsd-io.html
index 29f75c3..b2a4a1e 100644
--- a/doc/s6-tlsd-io.html
+++ b/doc/s6-tlsd-io.html
@@ -38,7 +38,7 @@ the options given when configuring s6-networking.
 <h2> Interface </h2>
 
 <pre>
-     s6-tlsd-io [ -S | -s ] [ -Y | -y ] [ -v <em>verbosity</em> ] [ -K kimeout ] [ -d notif ] [ -- ] <em>fdr</em> <em>fdw</em>
+     s6-tlsd-io [ -S | -s ] [ -Y | -y ] [ -v <em>verbosity</em> ] [ -K <em>kimeout</em> ] [ -k <em>snilevel</em> ] [ -d <em>notif</em> ] [ -- ] <em>fdr</em> <em>fdw</em>
 </pre>
 
 <ul>
@@ -107,7 +107,7 @@ environment variables set:
  <li> <tt>KEYFILE</tt>: a path to the file
 containing the server's private key, DER- or PEM-encoded. </li>
  <li> <tt>CERTFILE</tt>: a path to the file
-containing the server's certificate, DER- or PEM-encoded.
+containing the server's certificate chain, DER- or PEM-encoded.
 If PEM-encoded, the file can actually contain a chain
 of certificates. </li>
 </ul>
@@ -118,6 +118,17 @@ will refuse to run.
 </p>
 
 <p>
+ Alternatively, if <em>snilevel</em> is nonzero, the private
+key for the server named <em>x</em> should be held in a file
+whose name is contained in the <tt>KEYFILE:<em>x</em></tt>
+environment variable, and the corresponding certificate chain
+file should be named in the <tt>CERTFILE:<em>x</em></tt>
+environment variable. If <em>snilevel</em> is 2 or more, the
+<tt>KEYFILE</tt> and <tt>CERTFILE</tt> variables will be
+entirely ignored.
+</p>
+
+<p>
  If you are using client certificates, <tt>s6-tlsd-io</tt>
 also requires either one of the following variables to be set:
 </p>
@@ -196,6 +207,19 @@ is not to require a client certificate at all. </li>
 to send data for <em>kimeout</em> milliseconds during the handshake,
 close the connection. The default is 0, which means infinite timeout
 (never kill the connection). </li>
+ <li> <tt>-k&nbsp;<em>snilevel</em></tt>&nbsp;: support alternative
+certificate chains for SNI. If <em>snilevel</em> is nonzero, private
+key file names are read from every environment variable of the form
+<tt>KEYFILE:<em>x</em></tt>, where <em>x</em> is a server name that
+the client may require, and a corresponding certificate chain for the name
+<em>x</em> should exist in the file named after the contents of the
+<tt>CERTFILE:<em>x</em></tt> environment variable. If <em>snilevel</em>
+is 2 or more, <em>only</em> those files are read, and the generic
+<tt>KEYFILE</tt> and <tt>CERTFILE</tt> variables are ignored.
+If <em>snilevel</em> is 0, or if the option is not given, which is the
+default, <tt>KEYFILE</tt> and <tt>CERTFILE</tt> are the only private
+key / certificate chain pair that are loaded, no other environment
+variable is read for keypairs. </li>
  <li> <tt>-d&nbsp;<em>notif</em></tt>&nbsp;: handshake notification.
 <em>notif</em> must be a file descriptor open for writing. When the
 TLS handshake has completed, some data (terminated by two null
diff --git a/doc/s6-tlsd.html b/doc/s6-tlsd.html
index 6b0228f..c1c6a59 100644
--- a/doc/s6-tlsd.html
+++ b/doc/s6-tlsd.html
@@ -38,7 +38,7 @@ the options given when configuring <tt>s6-networking</tt>.
 <h2> Interface </h2>
 
 <pre>
-     s6-tlsd [ -S | -s ] [ -Y | -y ] [ -Z | -z ] [ -v <em>verbosity</em> ] [ -K kimeout ] [ -- ] <em>prog...</em>
+     s6-tlsd [ -S | -s ] [ -Y | -y ] [ -Z | -z ] [ -v <em>verbosity</em> ] [ -K <em>kimeout</em> ] [ -k <em>snilevel</em> ] [ -- ] <em>prog...</em>
 </pre>
 
 <ul>
@@ -78,7 +78,10 @@ So it should pay attention to the following variables:
 </p>
 
 <ul>
- <li> <tt>KEYFILE</tt> and <tt>CERTFILE</tt> </li>
+ <li> <tt>KEYFILE</tt> and <tt>CERTFILE</tt>. Also (or alternatively),
+if the <tt>-k</tt> option is given: a series of
+<tt>KEYFILE:<em>x</em></tt> and <tt>CERTFILE:<em>x</em></tt> variables,
+for every <em>x</em> in the set of server names </li>
  <li> (if the -y or -Y option has been given) <tt>CADIR</tt> or <tt>CAFILE</tt> </li>
  <li> <tt>TLS_UID</tt> and <tt>TLS_GID</tt>
 </ul>
@@ -88,10 +91,12 @@ So it should pay attention to the following variables:
 <p>
  By default, <em>prog...</em> is run with all these
 variables <em>unset</em>: CADIR, CAFILE,
-KEYFILE, CERTFILE, TLS_UID and TLS_GID. They're passed to
+KEYFILE, CERTFILE, KEYFILE:<em>x</em> and CERTFILE:<em>x</em> for
+every <em>x</em>, TLS_UID and TLS_GID. They're passed to
 the <a href="s6-tlsd-io.html">s6-tlsd-io</a> child but
 not to <em>prog...</em>.
-The <tt>-Z</tt> option prevents that behaviour.
+The <tt>-Z</tt> option prevents that behaviour and keeps them
+accessible in the child.
 </p>
 
 <p>
@@ -107,6 +112,13 @@ used. </li>
  <li> <tt>SSL_TLS_SNI_SERVERNAME</tt> contains the required SNI
 server name, if any. It is removed from the environment if no SNI
 has been sent by the client. </li>
+ <li> <tt>SSL_PEER_CERT_HASH</tt> contains the hash of the peer's
+End Entity certificate, prefixed by the name of the hash and a colon
+(typically <tt>SHA256:</tt>). </li>
+ <li> <tt>SSL_PEER_CERT_SUBJECT</tt> contains the decoded subjectDN
+of the peer's End Entity certificate, i.e. identifying information.
+What is traditionally called the "name" of the certificate is the
+CN field in that data. </li>
  <li> More similar environment variables containing information
 about the connection may be added in the future. </li>
 </ul>
@@ -136,6 +148,19 @@ is not to require a client certificate at all. </li>
 to send data for <em>kimeout</em> milliseconds during the handshake,
 close the connection. The default is 0, which means infinite timeout
 (never kill the connection). </li>
+ <li> <tt>-k&nbsp;<em>snilevel</em></tt>&nbsp;: support alternative
+certificate chains for SNI. If <em>snilevel</em> is nonzero, private
+key file names are read from every environment variable of the form
+<tt>KEYFILE:<em>x</em></tt>, where <em>x</em> is a server name that
+the client may require, and a corresponding certificate chain for the name
+<em>x</em> should exist in the file named after the contents of the
+<tt>CERTFILE:<em>x</em></tt> environment variable. If <em>snilevel</em>
+is 2 or more, <em>only</em> those files are read, and the generic
+<tt>KEYFILE</tt> and <tt>CERTFILE</tt> variables are ignored.
+If <em>snilevel</em> is 0, or if the option is not given, which is the
+default, <tt>KEYFILE</tt> and <tt>CERTFILE</tt> are the only private
+key / certificate chain pair that are loaded, no other environment
+variable is read for keypairs. </li>
 </ul>
 
 <h2> Notes </h2>
diff --git a/doc/s6-tlsserver.html b/doc/s6-tlsserver.html
index 12de659..2ec3327 100644
--- a/doc/s6-tlsserver.html
+++ b/doc/s6-tlsserver.html
@@ -194,6 +194,7 @@ given but no <tt>-i</tt> or <tt>-x</tt> option. </li>
  <li> <tt>-S</tt>, <tt>-s</tt> </li>
  <li> <tt>-Y</tt>, <tt>-y</tt> </li>
  <li> <tt>-K <em>kimeout</em></tt> </li>
+ <li> <tt>-k <em>snilevel</em></tt> </li>
 </ul>
 
 <h3> Options passed to s6-applyuidgid </h3>
diff --git a/doc/s6-ucspitlsd.html b/doc/s6-ucspitlsd.html
index 7d7ef9b..be172c0 100644
--- a/doc/s6-ucspitlsd.html
+++ b/doc/s6-ucspitlsd.html
@@ -36,7 +36,7 @@ TLS stack in the server itself.
 <h2> Interface </h2>
 
 <pre>
-     s6-ucspitlsd [ -S | -s ] [ -Y | -y ] [ -Z | -z ] [ -v <em>verbosity</em> ] [ -K kimeout ] [ -- ] <em>prog...</em>
+     s6-ucspitlsd [ -S | -s ] [ -Y | -y ] [ -Z | -z ] [ -v <em>verbosity</em> ] [ -K kimeout ] [ -k snilevel ] [ -- ] <em>prog...</em>
 </pre>
 
 <ul>
@@ -84,7 +84,10 @@ So it should pay attention to the following variables:
 </p>
 
 <ul>
- <li> <tt>CERTFILE</tt> and <tt>KEYFILE</tt> </li>
+ <li> <tt>CERTFILE</tt> and <tt>KEYFILE</tt>. Also (or alternatively),
+if the <tt>-k</tt> option is given: a series of
+<tt>KEYFILE:<em>x</em></tt> and <tt>CERTFILE:<em>x</em></tt> variables,
+for every <em>x</em> in the set of server names </li>
  <li> (if the <tt>-Y</tt> or <tt>-y</tt> option has been given) <tt>CADIR</tt> or <tt>CAFILE</tt> </li>
  <li> <tt>TLS_UID</tt> and <tt>TLS_GID</tt>
 </ul>
@@ -94,10 +97,12 @@ So it should pay attention to the following variables:
 <p>
  By default, <em>prog...</em> is run with all these
 variables <em>unset</em>: CADIR, CAFILE,
-KEYFILE, CERTFILE, TLS_UID and TLS_GID. They're passed to
+KEYFILE, CERTFILE, KEYFILE:<em>x</em> and CERTFILE:<em>x</em> for
+every <em>x</em>, TLS_UID and TLS_GID. The variables are passed to
 the <a href="s6-tlsd-io.html">s6-tlsd-io</a> child but
 not to <em>prog...</em>.
-The <tt>-Z</tt> option prevents that behaviour.
+The <tt>-Z</tt> option prevents that behaviour and keeps them
+accessible in the child.
 </p>
 
 <p>
@@ -150,6 +155,19 @@ is not to require a client certificate at all. </li>
 the handshake takes more than <em>kimeout</em> milliseconds to complete.
 The default is 0, which means infinite timeout: let the handshake complete
 at its own pace, no matter how slow. </li>
+ <li> <tt>-k&nbsp;<em>snilevel</em></tt>&nbsp;: support alternative
+certificate chains for SNI. If <em>snilevel</em> is nonzero, private
+key file names are read from every environment variable of the form
+<tt>KEYFILE:<em>x</em></tt>, where <em>x</em> is a server name that
+the client may require, and a corresponding certificate chain for the name
+<em>x</em> should exist in the file named after the contents of the
+<tt>CERTFILE:<em>x</em></tt> environment variable. If <em>snilevel</em>
+is 2 or more, <em>only</em> those files are read, and the generic
+<tt>KEYFILE</tt> and <tt>CERTFILE</tt> variables are ignored.
+If <em>snilevel</em> is 0, or if the option is not given, which is the
+default, <tt>KEYFILE</tt> and <tt>CERTFILE</tt> are the only private
+key / certificate chain pair that are loaded, no other environment
+variable is read for keypairs. </li>
 </ul>
 
 <h2> Notes </h2>