summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--INSTALL70
-rw-r--r--NEWS1
-rw-r--r--doc/index.html24
-rw-r--r--doc/libstls/index.html10
-rw-r--r--doc/upgrade.html6
-rw-r--r--src/tls/s6-tlsserver.c2
6 files changed, 70 insertions, 43 deletions
diff --git a/INSTALL b/INSTALL
index 37e0076..b7f9a64 100644
--- a/INSTALL
+++ b/INSTALL
@@ -6,13 +6,15 @@ Build Instructions
- A POSIX-compliant C development environment
- GNU make version 3.81 or later
- - skalibs version 2.9.4.0 or later: https://skarnet.org/software/skalibs/
- - (Optional) execline version 2.6.1.1 or later: https://skarnet.org/software/execline/
- - s6 version 2.9.2.0 or later: https://skarnet.org/software/s6/
+ - skalibs version 2.10.0.0 or later: https://skarnet.org/software/skalibs/
+ - (Optional) execline version 2.7.0.0 or later: https://skarnet.org/software/execline/
+ - s6 version 2.10.0.0 or later: https://skarnet.org/software/s6/
- s6-dns version 2.3.3.0 or later: https://skarnet.org/software/s6-dns/
- Depending on whether you build the SSL tools,
- libressl version 3.1.4 or later: https://libressl.org/
- or bearssl version 0.6 or later: https://bearssl.org/
+ bearssl version 0.6 or later: https://bearssl.org/
+ or libressl version 3.2.2 or later: https://libressl.org/
+ or openssl version 1.1.1h or later: https://openssl.org/ *in addition to*
+ libretls version 3.3.0 or later: https://git.causal.agency/libretls/about/
This software will run on any operating system that implements
POSIX.1-2008, available at:
@@ -182,14 +184,22 @@ source tree if parallel builds are needed.
* SSL support
-----------
- s6-networking implements UCSPI tools for SSL/TLS connections: s6-tlsclient,
-s6-tlsserver, s6-tlsc and s6-tlsd. Those are built if you give the
---enable-ssl=<implementation> flag to configure. There are two supported
-values for <implementation>: libressl (in which case the tools will be
-built against libtls) and bearssl (in which case the tools will be built
-against libbearssl). You should install the relevant header and library
-files for your chosen implementation, be it LibreSSL or BearSSL, before
-building a SSL-enabled s6-networking.
+ s6-networking implements UCSPI tools for SSL/TLS connections: see the
+doc/tls-overview.html page for a listing of these tools and what they do.
+The TLS tools are built if you give the --enable-ssl=<implementation>
+flag to configure. There are two supported values for <implementation>:
+bearssl and libtls. You should install the relevant header and library
+files for your chosen implementation before building a SSL-enabled
+s6-networking.
+ "bearssl" uses the BearSSL API, of which there's only one implementation,
+from bearssl.org.
+ "libtls" uses the libtls API, which has two possible implementations:
+ - The original one, from libressl.org, bundled with LibreSSL
+ - An alternative one, from causal.agency, that is used on top of
+OpenSSL.
+
+ For compatibility, "libressl" is accepted as <implementation> and is
+an alias to libtls.
If your SSL headers and library files are not installed in /usr/include
and /usr/lib, you can use the --with-ssl-path=DIR configure option:
@@ -198,23 +208,27 @@ DIR/lib. For more complex setups, use the generic --with-include and
--with-dir configure options.
If you choose --enable-ssl=bearssl, then s6-networking will build a
-"libsbearssl" support library, which s6-tlsc and s6-tlsd will be linked
-against. This support library depends on libbearssl interfaces.
-
- If you choose --enable-ssl=libressl, then s6-networking will build
-a "libstls" support library, which s6-tlsc and s6-tlsd will be linked
-against. This support library depends on libtls interfaces, but not
-on libssl or libcrypto interfaces - so it is possible to use alternative
-implementations of the libtls API.
+"libsbearssl" support library, which s6-tlsc-io and s6-tlsd-io will be
+linked against. This support library depends on libbearssl interfaces.
+
+ If you choose --enable-ssl=libtls, then s6-networking will build a
+"libstls" support library, which s6-tlsc-io and s6-tlsd-io will be
+linked against. This support library depends on libtls interfaces, but
+not on libssl or libcrypto interfaces, so it is possible to use other
+alternative implementations of the libtls API. There is one such
+implementation: libtls-bearssl, implementing libtls on top of bearssl,
+but using it with s6-networking is a waste since s6-networking supports
+bearssl natively.
If your SSL implementation library needs nonstandard -l options to link
against it, you can override the CRYPTO_LIB make variable.
-By default, CRYPTO_LIB is "-lbearssl" when building against BearSSL,
-and "-ltls -lssl -lcrypto" when building against LibreSSL.
+By default, CRYPTO_LIB is "-lbearssl" when building against bearssl,
+and "-ltls -lssl -lcrypto" when building against libtls.
- As of 2019-02-12, please note that BearSSL is considered beta quality
+ As of 2020-11-30, please note that BearSSL is considered beta quality
by its author, so use with caution. Nevertheless, it's an incredibly
-promising library with high-quality interfaces and implementation.
-When statically linked against BearSSL, the s6-tlsc and s6-tlsd binaries
-are 1/10th the size of what they are when statically linked against LibreSSL,
-with a smaller RAM footprint too.
+good beta, with high-quality interfaces and implementation, and no
+known serious bugs.
+When statically linked against BearSSL, the s6-tlsc-io and s6-tlsd-io
+binaries are 1/10th the size of what they are when statically linked
+against libressl/openssl, with a much smaller RAM footprint too.
diff --git a/NEWS b/NEWS
index 25c989b..83f2c29 100644
--- a/NEWS
+++ b/NEWS
@@ -3,6 +3,7 @@ Changelog for s6-networking.
In 2.4.0.0
----------
+ - Can be built against OpenSSL + libretls.
- execline is now optional.
- s6-tlsc and s6-tlsd rewrite. They're now wrappers around new
binaries: s6-tlsc-io and s6-tlsd-io, which establish and run a
diff --git a/doc/index.html b/doc/index.html
index f402ab3..1160f7a 100644
--- a/doc/index.html
+++ b/doc/index.html
@@ -44,23 +44,27 @@ compiled with IPv6 support, s6-networking is IPv6-ready.
<li> A POSIX-compliant system with a standard C development environment </li>
<li> GNU make, version 3.81 or later </li>
<li> <a href="//skarnet.org/software/skalibs/">skalibs</a> version
-2.9.4.0 or later. It's a build-time requirement. It's also a run-time
+2.10.0.0 or later. It's a build-time requirement. It's also a run-time
requirement if you link against the shared version of the skalibs
library. </li>
<li> <a href="//skarnet.org/software/execline/">execline</a> version
-2.6.1.1 or later. It's a build-time and run-time requirement. </li>
+2.7.0.0 or later. It's a build-time and run-time requirement. </li>
<li> <a href="//skarnet.org/software/s6/">s6</a> version
-2.9.2.0 or later. It's a build-time and run-time requirement. </li>
+2.10.0.0 or later. It's a build-time and run-time requirement. </li>
<li> <a href="//skarnet.org/software/s6-dns/">s6-dns</a> version
2.3.3.0 or later. It's a build-time requirement. It's also a run-time
requirement if you link against the shared version of the s6-dns
libraries. </li>
<li> If you want to build the secure communication tools:
<ul>
- <li> Either <a href="https://libressl.org/">LibreSSL</a> version 3.1.4
-or later </li>
- <li> Or <a href="https://bearssl.org/">BearSSL</a> version 0.6
+ <li> Either <a href="https://bearssl.org/">BearSSL</a> version 0.6
or later. <strong>This is a beta version.</strong> </li>
+ <li> Or <a href="https://libressl.org/">LibreSSL</a> version 3.2.2
+or later </li>
+ <li> Or <a href="https://openssl.org/">OpenSSL</a> version 1.1.1h
+or later <em>and</em>
+<a href="https://git.causal.agency/libretls/about/">LibreTLS</a>
+version 3.3.0 or later </li>
</ul> The chosen library is a build-time requirement, and also a
run-time requirement if you link against its shared version. </li>
</ul>
@@ -141,13 +145,13 @@ relevant page.
<ul>
<li> An <a href="tls-overview.html">overview</a> of the TLS-related programs </li>
<li><a href="s6-tlsclient.html">The <tt>s6-tlsclient</tt> program</a></li>
-<li><a href="s6-tlsc.html">The <tt>s6-tlsc</tt> program</a></li>
-<li><a href="s6-tlsc-io.html">The <tt>s6-tlsc-io</tt> program</a></li>
-<li><a href="s6-ucspitlsc.html">The <tt>s6-ucspitlsc</tt> program</a></li>
<li><a href="s6-tlsserver.html">The <tt>s6-tlsserver</tt> program</a></li>
+<li><a href="s6-tlsc.html">The <tt>s6-tlsc</tt> program</a></li>
<li><a href="s6-tlsd.html">The <tt>s6-tlsd</tt> program</a></li>
-<li><a href="s6-tlsd-io.html">The <tt>s6-tlsd-io</tt> program</a></li>
+<li><a href="s6-ucspitlsc.html">The <tt>s6-ucspitlsc</tt> program</a></li>
<li><a href="s6-ucspitlsd.html">The <tt>s6-ucspitlsd</tt> program</a></li>
+<li><a href="s6-tlsc-io.html">The <tt>s6-tlsc-io</tt> program</a></li>
+<li><a href="s6-tlsd-io.html">The <tt>s6-tlsd-io</tt> program</a></li>
</ul>
<h4> TCP access control </h4>
diff --git a/doc/libstls/index.html b/doc/libstls/index.html
index 0983fef..3be3464 100644
--- a/doc/libstls/index.html
+++ b/doc/libstls/index.html
@@ -24,8 +24,11 @@
<tt>libstls</tt> is a small support library for the
<a href="../s6-tlsc.html">s6-tlsc</a> and
<a href="../s6-tlsd.html">s6-tlsd</a> executables when they're built
-against the <a href="https://www.libressl.org/">LibreSSL</a>
-backend. You can use it in your own programs, but since
+against the <em>libtls</em> API, whether that API is implemented via
+<a href="https://libressl.org/">LibreSSL</a> or via
+<a href="https://.openssl.org/">OpenSSL</a> with the addition of
+<a href="https://git.causal.agency/libretls/about/">LibreTLS</a>.
+You can use it in your own programs, but since
<a href="https://man.openbsd.org/OpenBSD-current/man3/tls_init.3">libtls</a>
is already relatively high-level, it's probably not very useful.
</p>
@@ -42,7 +45,8 @@ and the <tt>tls.h</tt> header, are visible in your header search path. </li>
<ul>
<li> Make sure the s6-networking libraries, as well as the skalibs
-libraries, and the LibreSSL libraries, are visible in your library search path. </li>
+libraries, and the libraries needed by libtls, are visible in your
+library search path. </li>
<li> Link against <tt>-lstls</tt>, <tt>-lskarnet</tt>, <tt>-ltls</tt>,
<tt>-lssl</tt>, <tt>-lcrypto</tt>,
<tt>`cat $sysdeps/socket.lib`</tt>, <tt>`cat $sysdeps/spawn.lib`</tt>, and
diff --git a/doc/upgrade.html b/doc/upgrade.html
index eabebb6..4df1cb7 100644
--- a/doc/upgrade.html
+++ b/doc/upgrade.html
@@ -21,8 +21,12 @@
<h2> in 2.4.0.0 </h2>
<ul>
+ <li> <a href="https://openssl.org/">OpenSSL</a> plus
+<a href="https://git.causal.agency/libretls/about/">LibreTLS</a>
+can now be used as a backend, since LibreTLS provides an
+implementation of the libtls API. </li>
<li> <a href="//skarnet.org/software/skalibs/">skalibs</a>
-dependency bumped to 2.9.4.0. </li>
+dependency bumped to 2.10.0.0. </li>
<li> <a href="//skarnet.org/software/execline/">execline</a>
has been made optional. It's still enabled by default; disabling
it with the <tt>--disable-execline</tt> configure option disables
diff --git a/src/tls/s6-tlsserver.c b/src/tls/s6-tlsserver.c
index fe493ad..0a6ae78 100644
--- a/src/tls/s6-tlsserver.c
+++ b/src/tls/s6-tlsserver.c
@@ -6,7 +6,7 @@
#include <skalibs/types.h>
#include <skalibs/sgetopt.h>
#include <skalibs/strerr2.h>
-#include <skalibs/djbunix.h>
+#include <skalibs/exec.h>
#include <s6/config.h>