diff options
-rw-r--r-- | INSTALL | 70 | ||||
-rw-r--r-- | NEWS | 1 | ||||
-rw-r--r-- | doc/index.html | 24 | ||||
-rw-r--r-- | doc/libstls/index.html | 10 | ||||
-rw-r--r-- | doc/upgrade.html | 6 | ||||
-rw-r--r-- | src/tls/s6-tlsserver.c | 2 |
6 files changed, 70 insertions, 43 deletions
@@ -6,13 +6,15 @@ Build Instructions - A POSIX-compliant C development environment - GNU make version 3.81 or later - - skalibs version 2.9.4.0 or later: https://skarnet.org/software/skalibs/ - - (Optional) execline version 2.6.1.1 or later: https://skarnet.org/software/execline/ - - s6 version 2.9.2.0 or later: https://skarnet.org/software/s6/ + - skalibs version 2.10.0.0 or later: https://skarnet.org/software/skalibs/ + - (Optional) execline version 2.7.0.0 or later: https://skarnet.org/software/execline/ + - s6 version 2.10.0.0 or later: https://skarnet.org/software/s6/ - s6-dns version 2.3.3.0 or later: https://skarnet.org/software/s6-dns/ - Depending on whether you build the SSL tools, - libressl version 3.1.4 or later: https://libressl.org/ - or bearssl version 0.6 or later: https://bearssl.org/ + bearssl version 0.6 or later: https://bearssl.org/ + or libressl version 3.2.2 or later: https://libressl.org/ + or openssl version 1.1.1h or later: https://openssl.org/ *in addition to* + libretls version 3.3.0 or later: https://git.causal.agency/libretls/about/ This software will run on any operating system that implements POSIX.1-2008, available at: @@ -182,14 +184,22 @@ source tree if parallel builds are needed. * SSL support ----------- - s6-networking implements UCSPI tools for SSL/TLS connections: s6-tlsclient, -s6-tlsserver, s6-tlsc and s6-tlsd. Those are built if you give the ---enable-ssl=<implementation> flag to configure. There are two supported -values for <implementation>: libressl (in which case the tools will be -built against libtls) and bearssl (in which case the tools will be built -against libbearssl). You should install the relevant header and library -files for your chosen implementation, be it LibreSSL or BearSSL, before -building a SSL-enabled s6-networking. + s6-networking implements UCSPI tools for SSL/TLS connections: see the +doc/tls-overview.html page for a listing of these tools and what they do. +The TLS tools are built if you give the --enable-ssl=<implementation> +flag to configure. There are two supported values for <implementation>: +bearssl and libtls. You should install the relevant header and library +files for your chosen implementation before building a SSL-enabled +s6-networking. + "bearssl" uses the BearSSL API, of which there's only one implementation, +from bearssl.org. + "libtls" uses the libtls API, which has two possible implementations: + - The original one, from libressl.org, bundled with LibreSSL + - An alternative one, from causal.agency, that is used on top of +OpenSSL. + + For compatibility, "libressl" is accepted as <implementation> and is +an alias to libtls. If your SSL headers and library files are not installed in /usr/include and /usr/lib, you can use the --with-ssl-path=DIR configure option: @@ -198,23 +208,27 @@ DIR/lib. For more complex setups, use the generic --with-include and --with-dir configure options. If you choose --enable-ssl=bearssl, then s6-networking will build a -"libsbearssl" support library, which s6-tlsc and s6-tlsd will be linked -against. This support library depends on libbearssl interfaces. - - If you choose --enable-ssl=libressl, then s6-networking will build -a "libstls" support library, which s6-tlsc and s6-tlsd will be linked -against. This support library depends on libtls interfaces, but not -on libssl or libcrypto interfaces - so it is possible to use alternative -implementations of the libtls API. +"libsbearssl" support library, which s6-tlsc-io and s6-tlsd-io will be +linked against. This support library depends on libbearssl interfaces. + + If you choose --enable-ssl=libtls, then s6-networking will build a +"libstls" support library, which s6-tlsc-io and s6-tlsd-io will be +linked against. This support library depends on libtls interfaces, but +not on libssl or libcrypto interfaces, so it is possible to use other +alternative implementations of the libtls API. There is one such +implementation: libtls-bearssl, implementing libtls on top of bearssl, +but using it with s6-networking is a waste since s6-networking supports +bearssl natively. If your SSL implementation library needs nonstandard -l options to link against it, you can override the CRYPTO_LIB make variable. -By default, CRYPTO_LIB is "-lbearssl" when building against BearSSL, -and "-ltls -lssl -lcrypto" when building against LibreSSL. +By default, CRYPTO_LIB is "-lbearssl" when building against bearssl, +and "-ltls -lssl -lcrypto" when building against libtls. - As of 2019-02-12, please note that BearSSL is considered beta quality + As of 2020-11-30, please note that BearSSL is considered beta quality by its author, so use with caution. Nevertheless, it's an incredibly -promising library with high-quality interfaces and implementation. -When statically linked against BearSSL, the s6-tlsc and s6-tlsd binaries -are 1/10th the size of what they are when statically linked against LibreSSL, -with a smaller RAM footprint too. +good beta, with high-quality interfaces and implementation, and no +known serious bugs. +When statically linked against BearSSL, the s6-tlsc-io and s6-tlsd-io +binaries are 1/10th the size of what they are when statically linked +against libressl/openssl, with a much smaller RAM footprint too. @@ -3,6 +3,7 @@ Changelog for s6-networking. In 2.4.0.0 ---------- + - Can be built against OpenSSL + libretls. - execline is now optional. - s6-tlsc and s6-tlsd rewrite. They're now wrappers around new binaries: s6-tlsc-io and s6-tlsd-io, which establish and run a diff --git a/doc/index.html b/doc/index.html index f402ab3..1160f7a 100644 --- a/doc/index.html +++ b/doc/index.html @@ -44,23 +44,27 @@ compiled with IPv6 support, s6-networking is IPv6-ready. <li> A POSIX-compliant system with a standard C development environment </li> <li> GNU make, version 3.81 or later </li> <li> <a href="//skarnet.org/software/skalibs/">skalibs</a> version -2.9.4.0 or later. It's a build-time requirement. It's also a run-time +2.10.0.0 or later. It's a build-time requirement. It's also a run-time requirement if you link against the shared version of the skalibs library. </li> <li> <a href="//skarnet.org/software/execline/">execline</a> version -2.6.1.1 or later. It's a build-time and run-time requirement. </li> +2.7.0.0 or later. It's a build-time and run-time requirement. </li> <li> <a href="//skarnet.org/software/s6/">s6</a> version -2.9.2.0 or later. It's a build-time and run-time requirement. </li> +2.10.0.0 or later. It's a build-time and run-time requirement. </li> <li> <a href="//skarnet.org/software/s6-dns/">s6-dns</a> version 2.3.3.0 or later. It's a build-time requirement. It's also a run-time requirement if you link against the shared version of the s6-dns libraries. </li> <li> If you want to build the secure communication tools: <ul> - <li> Either <a href="https://libressl.org/">LibreSSL</a> version 3.1.4 -or later </li> - <li> Or <a href="https://bearssl.org/">BearSSL</a> version 0.6 + <li> Either <a href="https://bearssl.org/">BearSSL</a> version 0.6 or later. <strong>This is a beta version.</strong> </li> + <li> Or <a href="https://libressl.org/">LibreSSL</a> version 3.2.2 +or later </li> + <li> Or <a href="https://openssl.org/">OpenSSL</a> version 1.1.1h +or later <em>and</em> +<a href="https://git.causal.agency/libretls/about/">LibreTLS</a> +version 3.3.0 or later </li> </ul> The chosen library is a build-time requirement, and also a run-time requirement if you link against its shared version. </li> </ul> @@ -141,13 +145,13 @@ relevant page. <ul> <li> An <a href="tls-overview.html">overview</a> of the TLS-related programs </li> <li><a href="s6-tlsclient.html">The <tt>s6-tlsclient</tt> program</a></li> -<li><a href="s6-tlsc.html">The <tt>s6-tlsc</tt> program</a></li> -<li><a href="s6-tlsc-io.html">The <tt>s6-tlsc-io</tt> program</a></li> -<li><a href="s6-ucspitlsc.html">The <tt>s6-ucspitlsc</tt> program</a></li> <li><a href="s6-tlsserver.html">The <tt>s6-tlsserver</tt> program</a></li> +<li><a href="s6-tlsc.html">The <tt>s6-tlsc</tt> program</a></li> <li><a href="s6-tlsd.html">The <tt>s6-tlsd</tt> program</a></li> -<li><a href="s6-tlsd-io.html">The <tt>s6-tlsd-io</tt> program</a></li> +<li><a href="s6-ucspitlsc.html">The <tt>s6-ucspitlsc</tt> program</a></li> <li><a href="s6-ucspitlsd.html">The <tt>s6-ucspitlsd</tt> program</a></li> +<li><a href="s6-tlsc-io.html">The <tt>s6-tlsc-io</tt> program</a></li> +<li><a href="s6-tlsd-io.html">The <tt>s6-tlsd-io</tt> program</a></li> </ul> <h4> TCP access control </h4> diff --git a/doc/libstls/index.html b/doc/libstls/index.html index 0983fef..3be3464 100644 --- a/doc/libstls/index.html +++ b/doc/libstls/index.html @@ -24,8 +24,11 @@ <tt>libstls</tt> is a small support library for the <a href="../s6-tlsc.html">s6-tlsc</a> and <a href="../s6-tlsd.html">s6-tlsd</a> executables when they're built -against the <a href="https://www.libressl.org/">LibreSSL</a> -backend. You can use it in your own programs, but since +against the <em>libtls</em> API, whether that API is implemented via +<a href="https://libressl.org/">LibreSSL</a> or via +<a href="https://.openssl.org/">OpenSSL</a> with the addition of +<a href="https://git.causal.agency/libretls/about/">LibreTLS</a>. +You can use it in your own programs, but since <a href="https://man.openbsd.org/OpenBSD-current/man3/tls_init.3">libtls</a> is already relatively high-level, it's probably not very useful. </p> @@ -42,7 +45,8 @@ and the <tt>tls.h</tt> header, are visible in your header search path. </li> <ul> <li> Make sure the s6-networking libraries, as well as the skalibs -libraries, and the LibreSSL libraries, are visible in your library search path. </li> +libraries, and the libraries needed by libtls, are visible in your +library search path. </li> <li> Link against <tt>-lstls</tt>, <tt>-lskarnet</tt>, <tt>-ltls</tt>, <tt>-lssl</tt>, <tt>-lcrypto</tt>, <tt>`cat $sysdeps/socket.lib`</tt>, <tt>`cat $sysdeps/spawn.lib`</tt>, and diff --git a/doc/upgrade.html b/doc/upgrade.html index eabebb6..4df1cb7 100644 --- a/doc/upgrade.html +++ b/doc/upgrade.html @@ -21,8 +21,12 @@ <h2> in 2.4.0.0 </h2> <ul> + <li> <a href="https://openssl.org/">OpenSSL</a> plus +<a href="https://git.causal.agency/libretls/about/">LibreTLS</a> +can now be used as a backend, since LibreTLS provides an +implementation of the libtls API. </li> <li> <a href="//skarnet.org/software/skalibs/">skalibs</a> -dependency bumped to 2.9.4.0. </li> +dependency bumped to 2.10.0.0. </li> <li> <a href="//skarnet.org/software/execline/">execline</a> has been made optional. It's still enabled by default; disabling it with the <tt>--disable-execline</tt> configure option disables diff --git a/src/tls/s6-tlsserver.c b/src/tls/s6-tlsserver.c index fe493ad..0a6ae78 100644 --- a/src/tls/s6-tlsserver.c +++ b/src/tls/s6-tlsserver.c @@ -6,7 +6,7 @@ #include <skalibs/types.h> #include <skalibs/sgetopt.h> #include <skalibs/strerr2.h> -#include <skalibs/djbunix.h> +#include <skalibs/exec.h> #include <s6/config.h> |