M Makefile => Makefile +0 -1
@@ 3,7 3,6 @@ man1 = $(MANPATH)/man1/
man7 = $(MANPATH)/man7/
man1_targets = \
- minidentd.1 \
s6-clockadd.1 \
s6-clockview.1 \
s6-getservbyname.1 \
D minidentd.1 => minidentd.1 +0 -98
@@ 1,98 0,0 @@
-.Dd February 16, 2021
-.Dt MINIDENTD 1
-.Os
-.Sh NAME
-.Nm minidentd
-.Nd small UCSPI[1] server application that answers IDENT requests
-.Sh SYNOPSIS
-.Nm
-.Op Fl v
-.Op Fl n | Fl i | Fl r
-.Op Fl y Ar file
-.Op Fl t Ar timeout
-.Sh DESCRIPTION
-.Nm
-reads a series of IDENT requests on stdin and answers them on stdout.
-It logs what it's doing on stderr.
-The environment variables
-.Ev \& Ns Ar x Ns LOCALIP
-and
-.Ev \& Ns Ar x Ns REMOTEIP ,
-where
-.Ar x
-is the value of the PROTO environment variable, must contain the IDENT
-server address and the IDENT client address, respectively.
-.Pp
-.Nm
-exits 0 on success, 100 on a usage error and 111 on a system call
-failure.
-.Pp
-.Nm
-does not contact the network directly.
-It's meant to run under a super-server like
-.Xr s6-tcpserver 1 .
-.Nm
-will work with IPv4 as well as IPv6.
-.Pp
-.Nm
-works only under Linux (2.2 or later); on other systems, it will
-compile and run, but report an error for every request.
-.Pp
-The problem is that
-.Em there is no portable Unix way
-of listing active outgoing TCP connections with the relevant uids.
-On Linux,
-.Nm
-parses the
-.Pa /proc/net/tcp
-or
-.Pa /proc/net/tcp6
-virtual file.
-Other systems have their own way of doing this, if you want your
-system to be supported by
-.Nm ,
-please contact the author.
-.Sh OPTIONS
-.Bl -tag -width x
-.It Fl v
-Verbose mode.
-Log queries and replies.
-.It Fl n
-Send ERROR : HIDDEN-USER replies if the user has a
-.Pa .ident
-file in their home directory.
-.It Fl i
-User-defined answers.
-The first 14 chars of the user's
-.Pa .ident
-file, up to EOF or newline, are used instead of the user name.
-If the file exists and is empty, send ERROR : HIDDEN-USER.
-If it doesn't exist, send a normal reply.
-.It Fl r
-Send random replies.
-.It Fl y Ar file
-Valid with
-.Ql -n
-or
-.Ql -i .
-Use
-.Ar file
-instead of
-.Pa .ident .
-.It Fl t Ar timeout
-Close connection after
-.Ar timeout
-milliseconds without a client request.
-.El
-.Sh SEE ALSO
-.Xr s6-ident-client 1 ,
-.Xr s6-tcpserver 1
-.Pp
-[1]
-.Lk https://cr.yp.to/proto/ucspi.txt
-.Pp
-This man page is ported from the authoritative documentation at:
-.Lk https://skarnet.org/software/s6-networking/minidentd.html
-.Sh AUTHORS
-.An Laurent Bercot
-.An Alexis Ao Mt flexibeast@gmail.com Ac (man page port)
M s6-tcpserver-access.1 => s6-tcpserver-access.1 +3 -2
@@ 1,4 1,4 @@
-.Dd January 31, 2021
+.Dd September 28, 2021
.Dt S6-TCPSERVER-ACCESS 1
.Os
.Sh NAME
@@ 40,7 40,8 @@ or their stripped-down versions
or
.Xr s6-tcpserver6d 1 .
.Pp
-It checks that the remote end of the connection fits the accepted criteria defined by the database contained in
+It checks that the remote end of the connection fits the accepted
+criteria defined by the database contained in
.Ar rulesdir
or
.Ar rulesfile .
M s6-tlsc.1 => s6-tlsc.1 +14 -1
@@ 1,4 1,4 @@
-.Dd April 22, 2021
+.Dd September 28, 2021
.Dt S6-TLSC 1
.Os
.Sh NAME
@@ 183,6 183,19 @@ Contains
if the
.Fl k
option has been given; otherwise it is removed from the environment.
+.It Ev SSL_PEER_CERT_HASH
+Contains the hash of the peer's End Entity certificate, prefixed by
+the name of the hash and a colon
+.Po
+typically
+.Ql SHA256\&:
+.Pc .
+.It Ev SSL_PEER_CERT_SUBJECT
+Contains the decoded subjectDN of the peer's End Entity certificate,
+i.e. identifying information.
+What is traditionally called the
+.Dq name
+of the certificate is the CN field in that data.
.El
.Pp
More similar environment variables containing information about the
M s6-tlsd-io.1 => s6-tlsd-io.1 +62 -7
@@ 1,4 1,4 @@
-.Dd February 16, 2021
+.Dd September 28, 2021
.Dt S6-TLSD-IO 1
.Os
.Sh NAME
@@ 10,8 10,9 @@ communicate with an existing local program over already established pipes
.Op Fl S | Fl s
.Op Fl Y | Fl y
.Op Fl v Ar verbosity
-.Op Fl K kimeout
-.Op Fl d notif
+.Op Fl K Ar kimeout
+.Op Fl k Ar snilevel
+.Op Fl d Ar notif
.Op --
.Ar fdr
.Ar fdw
@@ 134,16 135,52 @@ Transmit EOF by half-closing the TCP connection without using
.Ql close_notify .
This is the default.
.It Fl Y
-Do not send a client certificate.
-This is the default.
+Require an optional client certificate.
.It Fl y
-Send a client certificate.
+Require a mandatory client certificate.
+The default, with neither the
+.Fl Y
+nor the
+.Fl y
+option, is not to require a client certificate at all.
.It Fl K Ar kimeout
If the peer fails to send data for
.Ar kimeout
milliseconds during the handshake, close the connection.
The default is 0, which means infinite timeout (never kill the
connection).
+.It Fl k Ar snilevel
+Support alternative certificate chains for SNI.
+If
+.Ar snilevel
+is nonzero, private key file names are read from every environment
+variable of the form
+.Ev KEYFILE\&: Ns Ar x ,
+where
+.Ar x
+is a server name that the client may require, and a corresponding
+certificate chain for the name
+.Ar x
+should exist in the file named after the contents of the
+.Ev CERTFILE\&: Ns Ar x
+environment variable.
+If
+.Ar snilevel
+is 2 or more,
+.Em only
+those files are read, and the generic
+.Ev KEYFILE
+and
+.Ev CERTFILE
+variables are ignored.
+If
+.Ar snilevel
+is 0, or if the option is not given, which is the default,
+.Ev KEYFILE
+and
+.Ev CERTFILE
+are the only private key / certificate chain pair that are loaded, no
+other environment variable is read for keypairs.
.It Fl d Ar notif
Handshake notification.
.Ar notif
@@ 172,7 209,7 @@ expects to have the following environment variables set:
A path to the file containing the server's private key, DER- or
PEM-encoded.
.It Ev CERTFILE
-A path to the file containing the server's certificate, DER- or
+A path to the file containing the server's certificate chain, DER- or
PEM-encoded.
If PEM-encoded, the file can actually contain a chain of certificates.
.El
@@ 181,6 218,24 @@ If one of those variables is unset,
.Nm
will refuse to run.
.Pp
+Alternatively, if
+.Ar snilevel
+is nonzero, the private key for the server named
+.Ar x
+should be held in a file whose name is contained in the
+.Ev KEYFILE\&: Ns Ar x
+environment variable, and the corresponding certificate chain file
+should be named in the
+.Ev CERTFILE\&: Ns Ar x
+environment variable.
+If
+.Ar snilevel
+is 2 or more, the
+.Ev KEYFILE
+and
+.Ev CERTFILE
+variables will be entirely ignored.
+.Pp
If you are using client certificates,
.Nm
also requires either one of the following variables to be set:
M s6-tlsd.1 => s6-tlsd.1 +66 -6
@@ 1,4 1,4 @@
-.Dd April 22, 2021
+.Dd September 28, 2021
.Dt S6-TLSD 1
.Os
.Sh NAME
@@ 10,7 10,8 @@
.Op Fl Y | Fl y
.Op Fl Z | Fl z
.Op Fl v Ar verbosity
-.Op Fl K Ar kimeout ]
+.Op Fl K Ar kimeout
+.Op Fl k Ar snilevel
.Op --
.Ar prog...
.Sh DESCRIPTION
@@ 112,6 113,38 @@ If the peer fails to send data for
milliseconds during the handshake, close the connection.
The default is 0, which means infinite timeout (never kill the
connection).
+.It Fl k Ar snilevel
+Support alternative certificate chains for SNI.
+If
+.Ar snilevel
+is nonzero, private key file names are read from every environment
+variable of the form
+.Ev KEYFILE\&: Ns Ar x ,
+where
+.Ar x
+is a server name that the client may require, and a corresponding
+certificate chain for the name
+.Ar x
+should exist in the file named after the contents of the
+.Ev CERTFILE\&: Ns Ar x
+environment variable.
+If
+.Ar snilevel
+is 2 or more,
+.Em only
+those files are read, and the generic
+.Ev KEYFILE
+and
+.Ev CERTFILE
+variables are ignored.
+If
+.Ar snilevel
+is 0, or if the option is not given, which is the default,
+.Ev KEYFILE
+and
+.Ev CERTFILE
+are the only private key / certificate chain pair that are loaded, no
+other environment variable is read for keypairs.
.El
.Sh ENVIRONMENT
.Ss Read
@@ 125,7 158,16 @@ So it should pay attention to the following variables:
.It
.Ev KEYFILE
and
-.Ev CERTFILE
+.Ev CERTFILE .
+Also (or alternatively), if the
+.Fl k
+option is given: a series of
+.Ev KEYFILE\&: Ns Ar x
+and
+.Ev CERTFILE\&: Ns Ar x
+variables, for every
+.Ar x
+in the set of server names.
.It
(If the
.Fl y
@@ 134,11 176,11 @@ or
option has been given)
.Ev CADIR
or
-.Ev CAFILE
+.Ev CAFILE .
.It
.Ev TLS_UID
and
-.Ev TLS_GID
+.Ev TLS_GID .
.El
.Ss Written
By default,
@@ 149,6 191,11 @@ is run with all these variables
.Ev CAFILE ,
.Ev KEYFILE ,
.Ev CERTFILE ,
+.Ev KEYFILE\&: Ns Ar x
+and
+.Ev CERTFILE\&: Ns Ar x
+for every
+.Ar x ,
.Ev TLS_UID
and
.Ev TLS_GID .
@@ 158,7 205,7 @@ child but not to
.Ar prog... .
The
.Fl Z
-option prevents that behaviour.
+option prevents that behaviour and keeps them accessible in the child.
.Pp
However,
.Ar prog...
@@ 172,6 219,19 @@ Contains the name of the cipher used.
Contains the required SNI server name, if any.
It is removed from the environment if no SNI has been sent by the
client.
+.It Ev SSL_PEER_CERT_HASH
+Contains the hash of the peer's End Entity certificate, prefixed by
+the name of the hash and a colon
+.Po
+typically
+.Ql SHA256\&:
+.Pc .
+.It Ev SSL_PEER_CERT_SUBJECT
+Contains the decoded subjectDN of the peer's End Entity certificate,
+i.e. identifying information.
+What is traditionally called the
+.Dq name
+of the certificate is the CN field in that data.
.El
.Pp
More similar environment variables containing information about the
M s6-tlsserver.1 => s6-tlsserver.1 +2 -0
@@ 173,6 173,8 @@ or
.Fl y
.It
.Fl K Ar kimeout
+.It
+.Fl k Ar snilevel
.El
.Ss Options passed to Xr s6-applyuidgid 1
.Bl -bullet -width x
M s6-ucspitlsc.1 => s6-ucspitlsc.1 +4 -5
@@ 1,4 1,4 @@
-.Dd February 16, 2021
+.Dd September 28, 2021
.Dt S6-UCSPITLSC 1
.Os
.Sh NAME
@@ 63,7 63,6 @@ Default for
.Ar verbosity
is 1.
0 is quiet, 2 is verbose, more than 2 is debug output.
-This option currently has no effect.
.It Fl Z
Do not clean the environment of the variables used by
.Xr s6-tlsc-io 1
@@ 135,18 134,18 @@ So it should pay attention to the following variables:
.It
.Ev CADIR
or
-.Ev CAFILE
+.Ev CAFILE .
.It
(If the
.Fl y
option has been given)
.Ev CERTFILE
and
-.Ev KEYFILE
+.Ev KEYFILE .
.It
.Ev TLS_UID
and
-.Ev TLS_GID
+.Ev TLS_GID .
.El
.Ss Written
By default,
M s6-ucspitlsd.1 => s6-ucspitlsd.1 +54 -8
@@ 1,4 1,4 @@
-.Dd February 16, 2021
+.Dd September 28, 2021
.Dt S6-UCSPITLSD 1
.Os
.Sh NAME
@@ 12,7 12,8 @@ then execs into an application
.Op Fl Y | Fl y
.Op Fl Z | Fl z
.Op Fl v Ar verbosity
-.Op FL K Ar kimeout
+.Op Fl K Ar kimeout
+.Op Fl k Ar snilevel
.Op --
.Ar prog...
.Sh DESCRIPTION
@@ 65,7 66,6 @@ Default for
.Ar verbosity
is 1.
0 is quiet, 2 is verbose, more than 2 is debug output.
-This option currently has no effect.
.It Fl Z
Do not clean the environment of the variables used by
.Xr s6-tlsc-io 1
@@ 106,6 106,38 @@ Close the connection if the handshake takes more than
milliseconds to complete.
The default is 0, which means infinite timeout: let the handshake
complete at its own pace, no matter how slow.
+.It Fl k Ar snilevel
+Support alternative certificate chains for SNI.
+If
+.Ar snilevel
+is nonzero, private key file names are read from every environment
+variable of the form
+.Ev KEYFILE\&: Ns Ar x ,
+where
+.Ar x
+is a server name that the client may require, and a corresponding
+certificate chain for the name
+.Ar x
+should exist in the file named after the contents of the
+.Ev CERTFILE\&: Ns Ar x
+environment variable.
+If
+.Ar snilevel
+is 2 or more,
+.Em only
+those files are read, and the generic
+.Ev KEYFILE
+and
+.Ev CERTFILE
+variables are ignored.
+If
+.Ar snilevel
+is 0, or if the option is not given, which is the default,
+.Ev KEYFILE
+and
+.Ev CERTFILE
+are the only private key / certificate chain pair that are loaded, no
+other environment variable is read for keypairs.
.El
.Sh ENVIRONMENT
.Ss Read
@@ 119,7 151,16 @@ So it should pay attention to the following variables:
.It
.Ev CERTFILE
and
-.Ev KEYFILE
+.Ev KEYFILE .
+Also (or alternatively), if the
+.Fl k
+option is given: a series of
+.Ev KEYFILE\&: Ns Ar x
+and
+.Ev CERTFILE\&: Ns Ar x
+variables, for every
+.Ar x
+in the set of server names.
.It
(If the
.Fl Y
@@ 128,11 169,11 @@ or
option has been given)
.Ev CADIR
or
-.Ev CAFILE
+.Ev CAFILE .
.It
.Ev TLS_UID
and
-.Ev TLS_GID
+.Ev TLS_GID .
.El
.Ss Written
By default,
@@ 143,16 184,21 @@ is run with all these variables
.Ev CAFILE ,
.Ev KEYFILE ,
.Ev CERTFILE ,
+.Ev KEYFILE\&: Ns Ar x
+and
+.Ev CERTFILE\&: Ns Ar x
+for every
+.Ar x ,
.Ev TLS_UID
and
.Ev TLS_GID .
-They're passed to the
+The variables are passed to the
.Xr s6-tlsd-io 1
child but not to
.Ar prog... .
The
.Fl Z
-option prevents that behaviour.
+option prevents that behaviour and keeps them accessible in the child.
.Pp
However,
.Ar prog...