From 9c4a097d900fb623abeb61d3a58cf58e9c5f383f Mon Sep 17 00:00:00 2001 From: Laurent Bercot Date: Mon, 20 Nov 2023 05:13:06 +0000 Subject: Update documentation; make s6-tlsd-io more conservative by default Signed-off-by: Laurent Bercot --- doc/libsbearssl/index.html | 17 +++++++++++++---- 1 file changed, 13 insertions(+), 4 deletions(-) (limited to 'doc/libsbearssl/index.html') diff --git a/doc/libsbearssl/index.html b/doc/libsbearssl/index.html index 64a7c0b..291290d 100644 --- a/doc/libsbearssl/index.html +++ b/doc/libsbearssl/index.html @@ -22,8 +22,8 @@

libsbearssl is a support library for the -s6-tlsc and -s6-tlsd executables when they're built +s6-tlsc-io and +s6-tlsd-io executables when they're built against the BearSSL backend. Among other things, it offers interfaces to read private keys and certificates from a Unix filesystem, which BearSSL does @@ -533,7 +533,7 @@ DN of the end entity after validation. eltstatus must point to a user-supplied uint8_t, which after validation encodes the status of DN extraction: bit 7 of eltstatus is set if there was an issue during extraction (in which case the contents of *eedn are meaningless) and clear if -everything went well, and bits 0 to 6 are set iff the corresponding element +everything went well, and bits 0 to 5 are set iff the corresponding element of the DN is present, by increasing order C, ST, L, O, OU and CN.

@@ -603,9 +603,13 @@ a high-level function missing from BearSSL: it fully initializes a and all the hashes provided by BearSSL with a good degradation order, supporting TLS 1.0 to TLS 1.2, etc. What it doesn't set: the engine buffer, the certificate policy, the optional engine flags, and the optional client -certificate validation. +certificate validation. If the user wishes to be more conservative with the +TLS versions, they can use the +br_ssl_engine_set_versions() +call on &sc→eng afterwards.

+

void sbearssl_sctx_set_policy_sni (br_ssl_server_context *sc, sbearssl_sni_policy_context *pol)

@@ -725,6 +729,11 @@ server for client authentication.

  • Bit 0: if clear, no close_notify is performed and the engine will transmit EOF as received. If set, close_notify will be performed to end the TLS connection.
  • +
  • Bit 1: if clear, on reception of an EOF from the peer without a +preceding close_notify, the EOF will be transmitted to the local program, +and the connection will eventually end normally, with the process exiting 0. +If set, if the peer closes the connection without sending a close_notify, +the process will exit 98 with a fatal error message.
  • verbosity defines the engine's verbosity: the higher the more verbose. This parameter is currently ignored.
  • -- cgit v1.2.3