From 3086d49c7b5a16c46027458ccf3bdfff3b485c03 Mon Sep 17 00:00:00 2001 From: Alexis Date: Tue, 28 Sep 2021 15:53:34 +1000 Subject: [PATCH] Update to 2.5.0.0. --- Makefile | 1 - minidentd.1 | 98 ------------------------------------------- s6-tcpserver-access.1 | 5 ++- s6-tlsc.1 | 15 ++++++- s6-tlsd-io.1 | 69 ++++++++++++++++++++++++++---- s6-tlsd.1 | 72 ++++++++++++++++++++++++++++--- s6-tlsserver.1 | 2 + s6-ucspitlsc.1 | 9 ++-- s6-ucspitlsd.1 | 62 +++++++++++++++++++++++---- 9 files changed, 205 insertions(+), 128 deletions(-) delete mode 100644 minidentd.1 diff --git a/Makefile b/Makefile index 72f2020..59f2f83 100644 --- a/Makefile +++ b/Makefile @@ -3,7 +3,6 @@ man1 = $(MANPATH)/man1/ man7 = $(MANPATH)/man7/ man1_targets = \ - minidentd.1 \ s6-clockadd.1 \ s6-clockview.1 \ s6-getservbyname.1 \ diff --git a/minidentd.1 b/minidentd.1 deleted file mode 100644 index 9016cd7..0000000 --- a/minidentd.1 +++ /dev/null @@ -1,98 +0,0 @@ -.Dd February 16, 2021 -.Dt MINIDENTD 1 -.Os -.Sh NAME -.Nm minidentd -.Nd small UCSPI[1] server application that answers IDENT requests -.Sh SYNOPSIS -.Nm -.Op Fl v -.Op Fl n | Fl i | Fl r -.Op Fl y Ar file -.Op Fl t Ar timeout -.Sh DESCRIPTION -.Nm -reads a series of IDENT requests on stdin and answers them on stdout. -It logs what it's doing on stderr. -The environment variables -.Ev \& Ns Ar x Ns LOCALIP -and -.Ev \& Ns Ar x Ns REMOTEIP , -where -.Ar x -is the value of the PROTO environment variable, must contain the IDENT -server address and the IDENT client address, respectively. -.Pp -.Nm -exits 0 on success, 100 on a usage error and 111 on a system call -failure. -.Pp -.Nm -does not contact the network directly. -It's meant to run under a super-server like -.Xr s6-tcpserver 1 . -.Nm -will work with IPv4 as well as IPv6. -.Pp -.Nm -works only under Linux (2.2 or later); on other systems, it will -compile and run, but report an error for every request. -.Pp -The problem is that -.Em there is no portable Unix way -of listing active outgoing TCP connections with the relevant uids. -On Linux, -.Nm -parses the -.Pa /proc/net/tcp -or -.Pa /proc/net/tcp6 -virtual file. -Other systems have their own way of doing this, if you want your -system to be supported by -.Nm , -please contact the author. -.Sh OPTIONS -.Bl -tag -width x -.It Fl v -Verbose mode. -Log queries and replies. -.It Fl n -Send ERROR : HIDDEN-USER replies if the user has a -.Pa .ident -file in their home directory. -.It Fl i -User-defined answers. -The first 14 chars of the user's -.Pa .ident -file, up to EOF or newline, are used instead of the user name. -If the file exists and is empty, send ERROR : HIDDEN-USER. -If it doesn't exist, send a normal reply. -.It Fl r -Send random replies. -.It Fl y Ar file -Valid with -.Ql -n -or -.Ql -i . -Use -.Ar file -instead of -.Pa .ident . -.It Fl t Ar timeout -Close connection after -.Ar timeout -milliseconds without a client request. -.El -.Sh SEE ALSO -.Xr s6-ident-client 1 , -.Xr s6-tcpserver 1 -.Pp -[1] -.Lk https://cr.yp.to/proto/ucspi.txt -.Pp -This man page is ported from the authoritative documentation at: -.Lk https://skarnet.org/software/s6-networking/minidentd.html -.Sh AUTHORS -.An Laurent Bercot -.An Alexis Ao Mt flexibeast@gmail.com Ac (man page port) diff --git a/s6-tcpserver-access.1 b/s6-tcpserver-access.1 index 9407a7a..30bd2bf 100644 --- a/s6-tcpserver-access.1 +++ b/s6-tcpserver-access.1 @@ -1,4 +1,4 @@ -.Dd January 31, 2021 +.Dd September 28, 2021 .Dt S6-TCPSERVER-ACCESS 1 .Os .Sh NAME @@ -40,7 +40,8 @@ or their stripped-down versions or .Xr s6-tcpserver6d 1 . .Pp -It checks that the remote end of the connection fits the accepted criteria defined by the database contained in +It checks that the remote end of the connection fits the accepted +criteria defined by the database contained in .Ar rulesdir or .Ar rulesfile . diff --git a/s6-tlsc.1 b/s6-tlsc.1 index b690518..b7f7928 100644 --- a/s6-tlsc.1 +++ b/s6-tlsc.1 @@ -1,4 +1,4 @@ -.Dd April 22, 2021 +.Dd September 28, 2021 .Dt S6-TLSC 1 .Os .Sh NAME @@ -183,6 +183,19 @@ Contains if the .Fl k option has been given; otherwise it is removed from the environment. +.It Ev SSL_PEER_CERT_HASH +Contains the hash of the peer's End Entity certificate, prefixed by +the name of the hash and a colon +.Po +typically +.Ql SHA256\&: +.Pc . +.It Ev SSL_PEER_CERT_SUBJECT +Contains the decoded subjectDN of the peer's End Entity certificate, +i.e. identifying information. +What is traditionally called the +.Dq name +of the certificate is the CN field in that data. .El .Pp More similar environment variables containing information about the diff --git a/s6-tlsd-io.1 b/s6-tlsd-io.1 index e8b5098..c5de5a5 100644 --- a/s6-tlsd-io.1 +++ b/s6-tlsd-io.1 @@ -1,4 +1,4 @@ -.Dd February 16, 2021 +.Dd September 28, 2021 .Dt S6-TLSD-IO 1 .Os .Sh NAME @@ -10,8 +10,9 @@ communicate with an existing local program over already established pipes .Op Fl S | Fl s .Op Fl Y | Fl y .Op Fl v Ar verbosity -.Op Fl K kimeout -.Op Fl d notif +.Op Fl K Ar kimeout +.Op Fl k Ar snilevel +.Op Fl d Ar notif .Op -- .Ar fdr .Ar fdw @@ -134,16 +135,52 @@ Transmit EOF by half-closing the TCP connection without using .Ql close_notify . This is the default. .It Fl Y -Do not send a client certificate. -This is the default. +Require an optional client certificate. .It Fl y -Send a client certificate. +Require a mandatory client certificate. +The default, with neither the +.Fl Y +nor the +.Fl y +option, is not to require a client certificate at all. .It Fl K Ar kimeout If the peer fails to send data for .Ar kimeout milliseconds during the handshake, close the connection. The default is 0, which means infinite timeout (never kill the connection). +.It Fl k Ar snilevel +Support alternative certificate chains for SNI. +If +.Ar snilevel +is nonzero, private key file names are read from every environment +variable of the form +.Ev KEYFILE\&: Ns Ar x , +where +.Ar x +is a server name that the client may require, and a corresponding +certificate chain for the name +.Ar x +should exist in the file named after the contents of the +.Ev CERTFILE\&: Ns Ar x +environment variable. +If +.Ar snilevel +is 2 or more, +.Em only +those files are read, and the generic +.Ev KEYFILE +and +.Ev CERTFILE +variables are ignored. +If +.Ar snilevel +is 0, or if the option is not given, which is the default, +.Ev KEYFILE +and +.Ev CERTFILE +are the only private key / certificate chain pair that are loaded, no +other environment variable is read for keypairs. .It Fl d Ar notif Handshake notification. .Ar notif @@ -172,7 +209,7 @@ expects to have the following environment variables set: A path to the file containing the server's private key, DER- or PEM-encoded. .It Ev CERTFILE -A path to the file containing the server's certificate, DER- or +A path to the file containing the server's certificate chain, DER- or PEM-encoded. If PEM-encoded, the file can actually contain a chain of certificates. .El @@ -181,6 +218,24 @@ If one of those variables is unset, .Nm will refuse to run. .Pp +Alternatively, if +.Ar snilevel +is nonzero, the private key for the server named +.Ar x +should be held in a file whose name is contained in the +.Ev KEYFILE\&: Ns Ar x +environment variable, and the corresponding certificate chain file +should be named in the +.Ev CERTFILE\&: Ns Ar x +environment variable. +If +.Ar snilevel +is 2 or more, the +.Ev KEYFILE +and +.Ev CERTFILE +variables will be entirely ignored. +.Pp If you are using client certificates, .Nm also requires either one of the following variables to be set: diff --git a/s6-tlsd.1 b/s6-tlsd.1 index 13970e1..e449cb1 100644 --- a/s6-tlsd.1 +++ b/s6-tlsd.1 @@ -1,4 +1,4 @@ -.Dd April 22, 2021 +.Dd September 28, 2021 .Dt S6-TLSD 1 .Os .Sh NAME @@ -10,7 +10,8 @@ .Op Fl Y | Fl y .Op Fl Z | Fl z .Op Fl v Ar verbosity -.Op Fl K Ar kimeout ] +.Op Fl K Ar kimeout +.Op Fl k Ar snilevel .Op -- .Ar prog... .Sh DESCRIPTION @@ -112,6 +113,38 @@ If the peer fails to send data for milliseconds during the handshake, close the connection. The default is 0, which means infinite timeout (never kill the connection). +.It Fl k Ar snilevel +Support alternative certificate chains for SNI. +If +.Ar snilevel +is nonzero, private key file names are read from every environment +variable of the form +.Ev KEYFILE\&: Ns Ar x , +where +.Ar x +is a server name that the client may require, and a corresponding +certificate chain for the name +.Ar x +should exist in the file named after the contents of the +.Ev CERTFILE\&: Ns Ar x +environment variable. +If +.Ar snilevel +is 2 or more, +.Em only +those files are read, and the generic +.Ev KEYFILE +and +.Ev CERTFILE +variables are ignored. +If +.Ar snilevel +is 0, or if the option is not given, which is the default, +.Ev KEYFILE +and +.Ev CERTFILE +are the only private key / certificate chain pair that are loaded, no +other environment variable is read for keypairs. .El .Sh ENVIRONMENT .Ss Read @@ -125,7 +158,16 @@ So it should pay attention to the following variables: .It .Ev KEYFILE and -.Ev CERTFILE +.Ev CERTFILE . +Also (or alternatively), if the +.Fl k +option is given: a series of +.Ev KEYFILE\&: Ns Ar x +and +.Ev CERTFILE\&: Ns Ar x +variables, for every +.Ar x +in the set of server names. .It (If the .Fl y @@ -134,11 +176,11 @@ or option has been given) .Ev CADIR or -.Ev CAFILE +.Ev CAFILE . .It .Ev TLS_UID and -.Ev TLS_GID +.Ev TLS_GID . .El .Ss Written By default, @@ -149,6 +191,11 @@ is run with all these variables .Ev CAFILE , .Ev KEYFILE , .Ev CERTFILE , +.Ev KEYFILE\&: Ns Ar x +and +.Ev CERTFILE\&: Ns Ar x +for every +.Ar x , .Ev TLS_UID and .Ev TLS_GID . @@ -158,7 +205,7 @@ child but not to .Ar prog... . The .Fl Z -option prevents that behaviour. +option prevents that behaviour and keeps them accessible in the child. .Pp However, .Ar prog... @@ -172,6 +219,19 @@ Contains the name of the cipher used. Contains the required SNI server name, if any. It is removed from the environment if no SNI has been sent by the client. +.It Ev SSL_PEER_CERT_HASH +Contains the hash of the peer's End Entity certificate, prefixed by +the name of the hash and a colon +.Po +typically +.Ql SHA256\&: +.Pc . +.It Ev SSL_PEER_CERT_SUBJECT +Contains the decoded subjectDN of the peer's End Entity certificate, +i.e. identifying information. +What is traditionally called the +.Dq name +of the certificate is the CN field in that data. .El .Pp More similar environment variables containing information about the diff --git a/s6-tlsserver.1 b/s6-tlsserver.1 index 93cb3fb..b9cc9b0 100644 --- a/s6-tlsserver.1 +++ b/s6-tlsserver.1 @@ -173,6 +173,8 @@ or .Fl y .It .Fl K Ar kimeout +.It +.Fl k Ar snilevel .El .Ss Options passed to Xr s6-applyuidgid 1 .Bl -bullet -width x diff --git a/s6-ucspitlsc.1 b/s6-ucspitlsc.1 index a4af000..9486991 100644 --- a/s6-ucspitlsc.1 +++ b/s6-ucspitlsc.1 @@ -1,4 +1,4 @@ -.Dd February 16, 2021 +.Dd September 28, 2021 .Dt S6-UCSPITLSC 1 .Os .Sh NAME @@ -63,7 +63,6 @@ Default for .Ar verbosity is 1. 0 is quiet, 2 is verbose, more than 2 is debug output. -This option currently has no effect. .It Fl Z Do not clean the environment of the variables used by .Xr s6-tlsc-io 1 @@ -135,18 +134,18 @@ So it should pay attention to the following variables: .It .Ev CADIR or -.Ev CAFILE +.Ev CAFILE . .It (If the .Fl y option has been given) .Ev CERTFILE and -.Ev KEYFILE +.Ev KEYFILE . .It .Ev TLS_UID and -.Ev TLS_GID +.Ev TLS_GID . .El .Ss Written By default, diff --git a/s6-ucspitlsd.1 b/s6-ucspitlsd.1 index 424e72b..d747716 100644 --- a/s6-ucspitlsd.1 +++ b/s6-ucspitlsd.1 @@ -1,4 +1,4 @@ -.Dd February 16, 2021 +.Dd September 28, 2021 .Dt S6-UCSPITLSD 1 .Os .Sh NAME @@ -12,7 +12,8 @@ then execs into an application .Op Fl Y | Fl y .Op Fl Z | Fl z .Op Fl v Ar verbosity -.Op FL K Ar kimeout +.Op Fl K Ar kimeout +.Op Fl k Ar snilevel .Op -- .Ar prog... .Sh DESCRIPTION @@ -65,7 +66,6 @@ Default for .Ar verbosity is 1. 0 is quiet, 2 is verbose, more than 2 is debug output. -This option currently has no effect. .It Fl Z Do not clean the environment of the variables used by .Xr s6-tlsc-io 1 @@ -106,6 +106,38 @@ Close the connection if the handshake takes more than milliseconds to complete. The default is 0, which means infinite timeout: let the handshake complete at its own pace, no matter how slow. +.It Fl k Ar snilevel +Support alternative certificate chains for SNI. +If +.Ar snilevel +is nonzero, private key file names are read from every environment +variable of the form +.Ev KEYFILE\&: Ns Ar x , +where +.Ar x +is a server name that the client may require, and a corresponding +certificate chain for the name +.Ar x +should exist in the file named after the contents of the +.Ev CERTFILE\&: Ns Ar x +environment variable. +If +.Ar snilevel +is 2 or more, +.Em only +those files are read, and the generic +.Ev KEYFILE +and +.Ev CERTFILE +variables are ignored. +If +.Ar snilevel +is 0, or if the option is not given, which is the default, +.Ev KEYFILE +and +.Ev CERTFILE +are the only private key / certificate chain pair that are loaded, no +other environment variable is read for keypairs. .El .Sh ENVIRONMENT .Ss Read @@ -119,7 +151,16 @@ So it should pay attention to the following variables: .It .Ev CERTFILE and -.Ev KEYFILE +.Ev KEYFILE . +Also (or alternatively), if the +.Fl k +option is given: a series of +.Ev KEYFILE\&: Ns Ar x +and +.Ev CERTFILE\&: Ns Ar x +variables, for every +.Ar x +in the set of server names. .It (If the .Fl Y @@ -128,11 +169,11 @@ or option has been given) .Ev CADIR or -.Ev CAFILE +.Ev CAFILE . .It .Ev TLS_UID and -.Ev TLS_GID +.Ev TLS_GID . .El .Ss Written By default, @@ -143,16 +184,21 @@ is run with all these variables .Ev CAFILE , .Ev KEYFILE , .Ev CERTFILE , +.Ev KEYFILE\&: Ns Ar x +and +.Ev CERTFILE\&: Ns Ar x +for every +.Ar x , .Ev TLS_UID and .Ev TLS_GID . -They're passed to the +The variables are passed to the .Xr s6-tlsd-io 1 child but not to .Ar prog... . The .Fl Z -option prevents that behaviour. +option prevents that behaviour and keeps them accessible in the child. .Pp However, .Ar prog... -- 2.45.2