M man8/s6-tcpclient.8 => man8/s6-tcpclient.8 +19 -7
@@ 1,4 1,4 @@
-.Dd November 11, 2023
+.Dd November 20, 2023
.Dt S6-TCPCLIENT 8
.Os
.Sh NAME
@@ 10,7 10,8 @@
.Op Fl 4 | Fl 6
.Op Fl d | Fl D
.Op Fl r | Fl R
-.Op Fl h | Fl H
+.Op Fl h
+.Op Fl H
.Op Fl n | Fl N
.Op Fl t Ar timeout
.Op Fl l Ar localname
@@ 53,7 54,7 @@ The first address to answer wins.
The connection attempt fails if no address in the list is able to
answer.
.Sh OPTIONS
-.Bl -tag -width x
+.Bl -tag -width 2n
.It Fl q
Be quiet.
.It Fl Q
@@ 92,10 93,21 @@ compatibility with legacy programs.
Do not use the IDENT protocol.
This is the default.
.It Fl h
-Try and obtain the remote host name via DNS.
-This is the default.
+Consult the
+.Pa /etc/hosts
+database before performing DNS queries.
+The default, when this option is not given, is to ignore
+.Pa /etc/hosts .
+The
+.Fl H
+option overrides
+.Fl h
+and voids any kind of lookup.
.It Fl H
-Do not try and obtain the remote host name via DNS.
+Do not try and obtain the local or remote host names via DNS.
+The default, when this option is not given, is to look up the local
+and remote host IPs in the DNS database to get the corresponding
+names.
.It Fl n
Qualify
.Ar host
@@ 161,7 173,7 @@ is 58.
.Sh ENVIRONMENT
.Ar prog...
is run with the following variables set:
-.Bl -tag -width x
+.Bl -tag -width 2n
.It Ev PROTO
Always set to TCP.
.It Ev TCPREMOTEIP
M man8/s6-tcpserver-access.8 => man8/s6-tcpserver-access.8 +24 -10
@@ 1,4 1,4 @@
-.Dd November 11, 2023
+.Dd November 20, 2023
.Dt S6-TCPSERVER-ACCESS 8
.Os
.Sh NAME
@@ 9,7 9,8 @@
.Op Fl v Ar verbosity
.Op Fl W | Fl w
.Op Fl D | Fl d
-.Op Fl H | Fl h
+.Op Fl H
+.Op Fl h
.Op Fl R | Fl r
.Op Fl P | Fl p
.Op Fl l Ar localname
@@ 64,7 65,7 @@ value.
.Nm
checks its client connection against a ruleset.
This ruleset can be implemented:
-.Bl -bullet -width x
+.Bl -bullet
.It
either in the filesystem as an arborescence of directories and files,
if the
@@ 115,7 116,7 @@ if
.Ar ip
is v6.
If the result is:
-.Bl -tag -width x
+.Bl -tag -width 2n
.It Dv S6_ACCESSRULES_ERROR
it immediately exits 111.
.It Dv S6_ACCESSRULES_DENY
@@ 198,10 199,10 @@ execs
into
.Ql execlineb -c Ar newprog .
.Sh OPTIONS
-.Bl -tag -width x
+.Bl -tag -width 2n
.It Fl v Ar verbosity
Be more or less verbose, i.e. print more or less information to stderr:
-.Bl -tag -width x
+.Bl -tag -width 2n
.It 0
Only log error messages.
.It 1
@@ 236,9 237,22 @@ Disable DNS lookups for the
and
.Ev ${PROTO}REMOTEHOST
environment variables.
+The default, when this option is not given, is to try and read them
+from DNS.
.It Fl h
-Enable DNS lookups.
-This is the default.
+Consult
+.Pa /etc/hosts
+before DNS.
+The default, when this option is not given, is to ignore
+.Pa /etc/hosts .
+Note 1: the
+.Fl H
+option overrides this one, no DNS lookups means that the hosts
+database won't be consulted either.
+Note 2: if a name is obtained via the hosts database instead of DNS,
+any
+.Fl p
+checks will be disabled for it.
.It Fl R
Disable IDENT lookups for the
.Ev ${PROTO}REMOTEINFO
@@ 298,7 312,7 @@ performed.
.Nm
expects to inherit some environment variables from
its parent:
-.Bl -tag -width x
+.Bl -tag -width 2n
.It Ev PROTO
Normally TCP, but could be anything else.
.It Ev ${PROTO}LOCALIP
@@ 313,7 327,7 @@ The remote port of the socket.
.Pp
Additionally, it exports the following variables before executing into
.Ar prog... :
-.Bl -tag -width x
+.Bl -tag -width 2n
.It Ev ${PROTO}REMOTEIP
Via the IDENT protocol if the
.Fl r
M man8/s6-tcpserver.8 => man8/s6-tcpserver.8 +22 -6
@@ 1,4 1,4 @@
-.Dd November 11, 2023
+.Dd November 20, 2023
.Dt S6-TCPSERVER 8
.Os
.Sh NAME
@@ 58,7 58,7 @@ the
.Nm
is actually a wrapper that rewrites itself into a command line
running:
-.Bl -bullet -width x
+.Bl -bullet
.It
.Xr s6-tcpserver-socketbinder 8 ,
that binds the socket and listens to it.
@@ 87,8 87,23 @@ processes: one on
.Ql 0.0.0.0
and one on
.Ql :: .
+.Pp
+The option to make
+.Nm
+verbose is
+.Ql -v ,
+without an argument.
+This is different from the
+.Xr s6-tcpserverd 8
+interface, where that would be
+.Ql -v 2 .
+The difference exists because
+.Nm
+follows the UCSPI tool[1] interface, whereas
+.Xr s6-tcpserverd 8
+has no such constraint.
.Ss Signals
-.Bl -tag -width x
+.Bl -tag -width 2n
.It Dv SIGTERM
Exit.
.It Dv SIGHUP
@@ 107,7 122,7 @@ to all children, then exit.
Send a SIGKILL to all children, then exit.
.El
.Sh OPTIONS
-.Bl -tag -width x
+.Bl -tag -width 2n
.It Fl q
Be quiet.
Only print fatal error messages to stderr.
@@ 169,7 184,8 @@ This is only valid when run as root.
.It Fl U
Change
.Nm Ap
-s user id, group id and supplementary group list according to the values of the
+s user id, group id and supplementary group list according to the
+values of the
.Ev UID ,
.Ev GID
and
@@ 185,7 201,7 @@ then drops its privileges to those of a named non-root account.
For each connection, an instance of
.Ar prog...
is spawned with the following variables set:
-.Bl -tag -width x
+.Bl -tag -width 2n
.It Ev PROTO
Always set to TCP.
.It Ev TCPLOCALIP
M man8/s6-tcpserverd.8 => man8/s6-tcpserverd.8 +25 -4
@@ 1,4 1,4 @@
-.Dd November 11, 2023
+.Dd November 20, 2023
.Dt S6-TCPSERVERD 8
.Os
.Sh NAME
@@ 60,8 60,26 @@ from a fd-holding daemon
some people call this
.Dq socket activation
.Pc .
+.Pp
+The option to make
+.Nm
+verbose is
+.Ql -v 2 ,
+where the verbosity level is given as an argument, 0 being quiet, 1
+normal and 2 verbose.
+This is different from the
+.Xr s6-tcpserver 8
+interface, where
+.Ql -v
+without an argument would indicate extra verbosity.
+The difference exists because
+.Xr s6-tcpserver 8
+follows the UCSPI tool[2] interface, whereas
+.Nm
+has no such constraint, and giving the verbosity level as a number is
+a better interface.
.Ss Signals
-.Bl -tag -width x
+.Bl -tag -width 2n
.It Dv SIGTERM
Exit.
.It Dv SIGHUP
@@ 82,7 100,7 @@ Send a
to all children, then exit.
.El
.Sh OPTIONS
-.Bl -tag -width x
+.Bl -tag -width 2n
.It Fl 1
Write the local port, followed by newline, to stdout, and close
stdout, right before entering the client-accepting loop.
@@ 116,7 134,7 @@ It is impossible to set it higher than
For each connection, an instance of
.Ar prog...
is spawned with the following variables set:
-.Bl -tag -width x
+.Bl -tag -width 2n
.It Ev PROTO
Always set to TCP.
.It Ev TCPLOCALIP
@@ 141,6 159,9 @@ Set to the number of connections originating from the same IP address.
[1]
.Lk https://cr.yp.to/ucspi-tcp/tcpserver.html
.Pp
+[2]
+.Lk https://cr.yp.to/proto/ucspi.txt
+.Pp
This man page is ported from the authoritative documentation at:
.Lk https://skarnet.org/software/s6-networking/s6-tcpserverd.html
.Sh AUTHORS
M man8/s6-tlsc-io.8 => man8/s6-tlsc-io.8 +33 -16
@@ 1,4 1,4 @@
-.Dd September 29, 2021
+.Dd November 20, 2023
.Dt S6-TLSC-IO 8
.Os
.Sh NAME
@@ 7,6 7,7 @@
.Sh SYNOPSIS
.Nm
.Op Fl S | Fl s
+.Op Fl J | Fl j
.Op Fl Y | Fl y
.Op Fl v Ar verbosity
.Op Fl K Ar kimeout
@@ 27,20 28,25 @@ is provided by the chosen SSL backend: BearSSL[1] or LibreSSL[2],
depending on the options given when configuring s6-networking.
.Pp
.Nm
-expects to have an open connection it can talk to on its standard
-input and output.
-It also expects to read cleartext data from file descriptor
+expects to read cleartext data to stdin, and write cleartext data to
+stdout.
+It also expects descriptors
.Ar fdr
-and write cleartext data to file descriptor
-.Ar fdw .
+and
+.Ar fdw
+to be open
+.Po
+typically connected to the network
+.Pc ,
+to respectively read ciphertext from and write ciphertext to.
.Pp
It initiates a TLS handshake over the network connection, expecting a
TLS server on the other side.
.Pp
-Then it acts as a full duplex tunnel, decrypting and transmitting data
+Then it acts as a full duplex tunnel, encrypting and transmitting data
from stdin to
.Ar fdw ,
-and encrypting and transmitting data from
+and decrypting and transmitting data from
.Ar fdr
to stdout.
.Pp
@@ 87,7 93,7 @@ If the local application initiates the end of the session by sending
EOF to
.Ar fdr ,
there are two ways for the TLS layer to handle it.
-.Bl -enum -width x
+.Bl -enum
.It
It can send a
.Ql close_notify
@@ 126,7 132,7 @@ force it to use the
.Ql close_notify
method if your application requires it to be secure.
.Sh OPTIONS
-.Bl -tag -width x
+.Bl -tag -width 2n
.It Fl v Ar verbosity
Be more or less verbose.
Default for
@@ 142,6 148,15 @@ alert and break the connection when receiving a local EOF.
Transmit EOF by half-closing the TCP connection without using
.Ql close_notify .
This is the default.
+.It Fl J
+Treat EOF from the peer without a prior
+.Ql close_notify
+as an error: print a fatal error message and exit 98.
+.It Fl j
+Treat EOF from the peer without a prior
+.Ql close_notify
+as a normal exit condition.
+This is the default.
.It Fl Y
Do not send a client certificate.
This is the default.
@@ 152,11 167,13 @@ Use Server Name Indication, and send
.Ar servername .
The default is not to use SNI, which may be a security risk.
.It Fl K Ar kimeout
-If the peer fails to send data for
+If the handshake takes more than
.Ar kimeout
-milliseconds during the handshake, close the connection.
-The default is 0, which means infinite timeout (never kill the
-connection).
+milliseconds to complete, close the connection.
+The default is 0, which means infinite timeout
+.Po
+never kill the connection
+.Pc .
.It Fl d Ar notif
Handshake notification.
.Ar notif
@@ 189,7 206,7 @@ If both are set,
.Ev CADIR
has priority.
The value of that variable is:
-.Bl -bullet -width x
+.Bl -bullet
.It
for
.Ev CADIR :
@@ 231,7 248,7 @@ should drop its own root privileges by its own means: the
.Xr s6-applyuidgid 8
program is a chainloading way of doing it.
.Sh EXIT STATUS
-.Bl -tag -width x
+.Bl -tag -width 2n
.It 0
The connection terminated normally.
.It 96
M man8/s6-tlsc.8 => man8/s6-tlsc.8 +20 -9
@@ 1,4 1,4 @@
-.Dd September 29, 2021
+.Dd November 20, 2023
.Dt S6-TLSC 8
.Os
.Sh NAME
@@ 7,6 7,7 @@
.Sh SYNOPSIS
.Nm
.Op Fl S | Fl s
+.Op Fl J | Fl j
.Op Fl Y | Fl y
.Op Fl Z | Fl z
.Op Fl v Ar verbosity
@@ 60,7 61,7 @@ and the server command line to
without changing the client or the server themselves, and the
communication between them will be secure.
.Sh OPTIONS
-.Bl -tag -width x
+.Bl -tag -width 2n
.It Fl v Ar verbosity
Be more or less verbose.
Default for
@@ 93,6 94,14 @@ sends EOF.
Transmit EOF by half-closing the TCP connection without using
.Ql close_notify .
This is the default.
+.It Fl J
+Make
+.Xr s6-tlsc-io 8
+exit with a nonzero code if the peer sends EOF without a
+.Ql close_notify
+first.
+.It Fl j
+Treat EOF from the peer as a normal exit condition.
.It Fl Y
Do not send a client certificate.
This is the default.
@@ 103,11 112,13 @@ Use Server Name Indication, and send
.Ar servername .
The default is not to use SNI, which may be a security risk.
.It Fl K Ar kimeout
-If the peer fails to send data for
+If the handshake takes more than
.Ar kimeout
-milliseconds during the handshake, close the connection.
-The default is 0, which means infinite timeout (never kill the
-connection).
+milliseconds to complete, close the connection.
+The default is 0, which means infinite timeout
+.Po
+never kill the connection
+.Pc .
.It Fl 6 Ar fdr
Expect an open file descriptor numbered
.Ar fdr
@@ 134,7 145,7 @@ does not expect to have any particular environment variables, but it spawns an
.Xr s6-tlsc-io 8
program that does.
So it should pay attention to the following variables:
-.Bl -bullet -width x
+.Bl -bullet
.It
.Ev CADIR
or
@@ 172,7 183,7 @@ option prevents that behaviour.
However,
.Ar prog...
is run with the following additional environment variables:
-.Bl -tag -width x
+.Bl -tag -width 2n
.It Ev SSL_PROTOCOL
Contains the protocol version: TLSv1, TLSv1.1, TLSv1.2...
.It Ev SSL_CIPHER
@@ 201,7 212,7 @@ of the certificate is the CN field in that data.
More similar environment variables containing information about the
connection may be added in the future.
.Sh EXIT STATUS
-.Bl -tag -width x
+.Bl -tag -width 2n
.It 100
Wrong usage.
.It 111
M man8/s6-tlsclient.8 => man8/s6-tlsclient.8 +20 -10
@@ 1,4 1,4 @@
-.Dd November 11, 2023
+.Dd November 20, 2023
.Dt S6-TLSCLIENT 8
.Os
.Sh NAME
@@ 18,7 18,7 @@ then executes into a program.
.Pp
.Nm
rewrites itself into a command line involving:
-.Bl -bullet -width x
+.Bl -bullet
.It
.Xr s6-tcpclient 8 ,
which establishes a TCP connection to host
@@ 73,7 73,7 @@ accepts a myriad of options, all of which are passed as is to the
correct executable.
Not giving any options will generally work: the defaults are sensible.
.Ss Options passed as-is to Xr s6-tcpclient 1
-.Bl -tag -width x
+.Bl -tag -width 2n
.It Fl q , Fl Q , Fl v
Be quiet, normally verbose, or verbose.
.It Fl 4 , Fl 6
@@ 82,10 82,14 @@ Stick to IPv4 or IPv6 addresses.
Enable or disable Nagle's algorithm.
.It Fl r , Fl R
Enable or disable IDENT lookup.
-.It Fl h , Fl H
-Enable or disable DNS lookups.
+.It Fl H
+Disable DNS lookups.
+.It Fl h
+Consult
+.Pa /etc/hosts
+before DNS.
.It Fl l Ar localname
-Get the local name from the command line, not from a DNS lookup.
+Get the local name from the command line, don't look it up.
.It Fl n , Fl N
Qualify the host or not when resolving it.
.It Fl t Ar timeout
@@ 96,13 100,19 @@ Force local socket parameters.
Configurable connection timeouts.
.El
.Ss Options passed as-is to Xr s6-tlsc 1
-.Bl -tag -width x
+.Bl -tag -width 2n
.It Fl Z , Fl z
Keep or remove the
.Xr s6-tlsc-io 8 Ns
-specific variables from the application's environment.
.It Fl S , Fl s
-Use close_notify or EOF to signal the end of a TLS connection.
+Use
+.Ql close_notify
+or EOF to signal the end of a TLS connection.
+.It Fl J , Fl j
+Exit nonzero with an error message when the peer fails to
+.Ql close_notify ,
+or ignore it.
.It Fl Y , Fl y
Don't send, or send, a client certificate.
.It Fl k Ar servername
@@ 116,7 126,7 @@ The following variables should be set before invoking
.Nm ,
because they will be used by
.Xr s6-tlsc-io 8 :
-.Bl -tag -width x
+.Bl -tag -width 2n
.It Ev CADIR
.It Ev CAFILE
(alternative to CADIR)
@@ 136,7 146,7 @@ Setting either CADIR or CAFILE is mandatory.
is run with the following variables added to, or removed from, its
environment by
.Xr s6-tcpclient 8 :
-.Bl -tag -width x
+.Bl -tag -width 2n
.It Ev PROTO
.It Ev TCPREMOTEIP
.It Ev TCPREMOTEPORT
M man8/s6-tlsd-io.8 => man8/s6-tlsd-io.8 +22 -10
@@ 1,4 1,4 @@
-.Dd January 15, 2023
+.Dd November 20, 2023
.Dt S6-TLSD-IO 8
.Os
.Sh NAME
@@ 8,6 8,7 @@ communicate with an existing local program over already established pipes
.Sh SYNOPSIS
.Nm
.Op Fl S | Fl s
+.Op Fl J | Fl j
.Op Fl Y | Fl y
.Op Fl v Ar verbosity
.Op Fl K Ar kimeout
@@ 80,7 81,7 @@ If the local application initiates the end of the session by sending
EOF to
.Ar fdr ,
there are two ways for the TLS layer to handle it.
-.Bl -bullet -width x
+.Bl -bullet
.It
It can send a
.Ql close_notify
@@ 118,7 119,7 @@ option, you can force it to use the
.Ql close_notify
method if your application requires it to be secure.
.Sh OPTIONS
-.Bl -tag -width x
+.Bl -tag -width 2n
.It Fl v Ar verbosity
Be more or less verbose.
Default for
@@ 134,6 135,15 @@ alert and break the connection when receiving a local EOF.
Transmit EOF by half-closing the TCP connection without using
.Ql close_notify .
This is the default.
+.It Fl J
+Treat EOF from the peer without a prior
+.Ql close_notify
+as an error: print a fatal error message and exit 98.
+.It Fl j
+Treat EOF from the peer without a prior
+.Ql close_notify
+as a normal exit condition.
+This is the default.
.It Fl Y
Request a client certificate.
The certificate is optional: if the client gives none, the connection
@@ 148,11 158,13 @@ nor the
.Fl y
option, is not to request a client certificate at all.
.It Fl K Ar kimeout
-If the peer fails to send data for
+If the handshake takes more than
.Ar kimeout
-milliseconds during the handshake, close the connection.
-The default is 0, which means infinite timeout (never kill the
-connection).
+milliseconds to complete, close the connection.
+The default is 0, which means infinite timeout
+.Po
+never kill the connection
+.Pc .
.It Fl k Ar snilevel
Support alternative certificate chains for SNI.
If
@@ 208,7 220,7 @@ If this option is not given, no such notification is performed.
.Sh ENVIRONMENT
.Nm
expects to have the following environment variables set:
-.Bl -tag -width x
+.Bl -tag -width 2n
.It Ev KEYFILE
A path to the file containing the server's private key, DER- or
PEM-encoded.
@@ 264,7 276,7 @@ expand the asterisks.
If you are using client certificates,
.Nm
also requires either one of the following variables to be set:
-.Bl -tag -width x
+.Bl -tag -width 2n
.It Ev CADIR
A directory where trust anchors (i.e. root or intermediate CA
certificates) can be found, one per file, DER- or PEM-encoded.
@@ 285,7 297,7 @@ private key file.
This ensures that the engine, including the handshake, is run with as
little privilege as possible.
.Sh EXIT STATUS
-.Bl -tag -width x
+.Bl -tag -width 2n
.It 0
The connection terminated normally.
.It 96
M man8/s6-tlsd.8 => man8/s6-tlsd.8 +20 -9
@@ 1,4 1,4 @@
-.Dd January 15, 2023
+.Dd November 20, 2023
.Dt S6-TLSD 8
.Os
.Sh NAME
@@ 7,6 7,7 @@
.Sh SYNOPSIS
.Nm
.Op Fl S | Fl s
+.Op Fl J | Fl j
.Op Fl Y | Fl y
.Op Fl Z | Fl z
.Op Fl v Ar verbosity
@@ 65,7 66,7 @@ and the server command line to
without changing the client or the server themselves, and the
communication between them will be secure.
.Sh OPTIONS
-.Bl -tag -width x
+.Bl -tag -width 2n
.It Fl v Ar verbosity
Be more or less verbose.
Default for
@@ 98,6 99,14 @@ sends EOF.
Transmit EOF by half-closing the TCP connection without using
.Ql close_notify .
This is the default.
+.It Fl J
+Make
+.Xr s6-tlsd-io 8
+exit with a nonzero code if the peer sends EOF without a
+.Ql close_notify
+first.
+.It Fl j
+Treat EOF from the peer as a normal exit condition.
.It Fl Y
Request an optional client certificate.
.It Fl y
@@ 108,11 117,13 @@ nor the
.Fl y
option, is not to request a client certificate at all.
.It Fl K Ar kimeout
-If the peer fails to send data for
+If the handshake takes more than
.Ar kimeout
-milliseconds during the handshake, close the connection.
-The default is 0, which means infinite timeout (never kill the
-connection).
+milliseconds to complete, close the connection.
+The default is 0, which means infinite timeout
+.Po
+never kill the connection
+.Pc .
.It Fl k Ar snilevel
Support alternative certificate chains for SNI.
If
@@ 154,7 165,7 @@ spawns an
.Xr s6-tlsd-io 8
program that does.
So it should pay attention to the following variables:
-.Bl -bullet -width x
+.Bl -bullet
.It
.Ev KEYFILE
and
@@ 212,7 223,7 @@ as well.
However,
.Ar prog...
is run with the following additional environment variables:
-.Bl -tag -width x
+.Bl -tag -width 2n
.It Ev SSL_PROTOCOL
Contains the protocol version: TLSv1, TLSv1.1, TLSv1.2...
.It Ev SSL_CIPHER
@@ 239,7 250,7 @@ of the certificate is the CN field in that data.
More similar environment variables containing information about the
connection may be added in the future.
.Sh EXIT STATUS
-.Bl -tag -width x
+.Bl -tag -width 2n
.It 100
Wrong usage.
.It 111
M man8/s6-tlsserver.8 => man8/s6-tlsserver.8 +22 -12
@@ 1,4 1,4 @@
-.Dd November 11, 2023
+.Dd November 20, 2023
.Dt S6-TLSSERVER 8
.Os
.Sh NAME
@@ 19,7 19,7 @@ executes into a program.
.Pp
.Nm
rewrites itself into a command line involving:
-.Bl -bullet -width x
+.Bl -bullet
.It
.Xr s6-tcpserver 8 ,
which listens to TCP connections on IP address
@@ 84,7 84,7 @@ a very public server (such as a Web server) or base your access
control on client certificates, you probably still want TCP access
rules.
.Ss Options passed as-is to Xr s6-tcpserver 1
-.Bl -tag -width x
+.Bl -tag -width 2n
.It Fl q , Fl Q , Fl v
.It Fl 1
.It Fl c Ar maxconn
@@ 92,7 92,7 @@ rules.
.It Fl b Ar backlog
.El
.Ss Options passed as-is to Xr s6-tcpserver-access 1
-.Bl -tag -width x
+.Bl -tag -width 2n
.It Fl v0 , Fl v2
The verbosity level.
.It Fl w , Fl W
@@ 103,10 103,14 @@ Enable or disable Nagle's algorithm.
Enable or disable IDENT lookups.
.It Fl p , Fl P
Enable or disable paranoid DNS cross-checking.
-.It Fl h , Fl H
-Enable or disable DNS lookups.
+.It Fl H
+Disable DNS lookups.
+.It Fl h
+Consult
+.Pa /etc/hosts
+before DNS.
.It Fl l Ar localname
-Get the local name from the command line, not from DNS.
+Get the local name from the command line, don't look it up.
.It Fl B Ar banner
Initial server-side banner.
.It Fl t Ar timeout
@@ 115,13 119,19 @@ Set a timeout for all the lookups.
TCP access control.
.El
.Ss Options passed as-is to Xr s6-tlsd 1
-.Bl -tag -width x
+.Bl -tag -width 2n
.It Fl Z , Fl z
Keep or remove the
.Xr s6-tlsd-io 8 Ns
-specific variables from the application's environment.
.It Fl S , Fl s
-Use close_notify or EOF to signal the end of a TLS connection.
+Use
+.Ql close_notify
+or EOF to signal the end of a TLS connection.
+.It Fl J , Fl j
+Exit nonzero with an error message when the peer fails to
+.Ql close_notify ,
+or ignore it.
.It Fl Y , Fl y
Request an optional or a mandatory client certificate.
.It Fl K Ar kimeout
@@ 130,7 140,7 @@ Set a timeout for the TLS handshake.
Support SNI-based certificate chains.
.El
.Ss Options passed to s6-applyuidgid
-.Bl -tag -width x
+.Bl -tag -width 2n
.It Fl u Ar uid , Fl g Ar gid , Fl G Ar gidlist
Set uid, gid, or supplementary group list.
.It Fl U Po passed as Fl Uz Pc
@@ 149,7 159,7 @@ because they will be used by
every
.Xr s6-tlsd 8
invocation:
-.Bl -tag -width x
+.Bl -tag -width 2n
.It Ev KEYFILE
.It Ev CERTFILE
.It Ev TLS_UID and Ev TLS_GI
@@ 177,7 187,7 @@ or removed from, its environment by
.Xr s6-tcpserverd 8
and possibly by
.Xr s6-tcpserver-access 8 :
-.Bl -tag -width x
+.Bl -tag -width 2n
.It Ev PROTO
.It Ev TCPREMOTEIP
.It Ev TCPREMOTEPORT
M man8/s6-ucspitlsc.8 => man8/s6-ucspitlsc.8 +14 -5
@@ 1,4 1,4 @@
-.Dd September 29, 2021
+.Dd November 20, 2023
.Dt S6-UCSPITLSC 8
.Os
.Sh NAME
@@ 7,6 7,7 @@
.Sh SYNOPSIS
.Nm
.Op Fl S | Fl s
+.Op Fl J | Fl j
.Op Fl Y | Fl y
.Op Fl Z | Fl z
.Op Fl v Ar verbosity
@@ 56,7 57,7 @@ If it does not, you will not be able to secure your connection, and
what you need is a regular immediate TLS program instead, which means
.Xr s6-tlsc 8 .
.Sh OPTIONS
-.Bl -tag -width x
+.Bl -tag -width 2n
.It Fl v Ar verbosity
Be more or less verbose.
Default for
@@ 88,6 89,14 @@ sends EOF.
Transmit EOF by half-closing the TCP connection without using
.Ql close_notify .
This is the default.
+.It Fl J
+Make
+.Xr s6-tlsc-io 8
+exit with a nonzero code if the peer sends EOF without a
+.Ql close_notify
+first.
+.It Fl j
+Treat EOF from the peer as a normal exit condition.
.It Fl Y
Do not send a client certificate.
This is the default.
@@ 130,7 139,7 @@ spawns a
.Xr s6-tlsc-io 8
program that does.
So it should pay attention to the following variables:
-.Bl -bullet -width x
+.Bl -bullet
.It
.Ev CADIR
or
@@ 171,7 180,7 @@ However,
.Ar prog...
is run with the following additional environment variables, following
the UCSPI-TLS protocol:
-.Bl -tag -width x
+.Bl -tag -width 2n
.It Ev SSLCTLFD
Contains the file descriptor number of the control socket.
.It Ev SSLREADFD
@@ 195,7 204,7 @@ command (as opposed to a
command), it will receive this information as a string sent over the
control socket.
.Sh EXIT STATUS
-.Bl -tag -width x
+.Bl -tag -width 2n
.It 100
Wrong usage.
.It 111
M man8/s6-ucspitlsd.8 => man8/s6-ucspitlsd.8 +14 -5
@@ 1,4 1,4 @@
-.Dd January 15, 2023
+.Dd November 20, 2023
.Dt S6-UCSPITLSD 8
.Os
.Sh NAME
@@ 9,6 9,7 @@ then execs into an application
.Sh SYNOPSIS
.Nm
.Op Fl S | Fl s
+.Op Fl J | Fl j
.Op Fl Y | Fl y
.Op Fl Z | Fl z
.Op Fl v Ar verbosity
@@ 59,7 60,7 @@ If it does not, you will not be able to secure your connection, and
what you need is a regular immediate TLS program instead, which means
.Xr s6-tlsd 8 .
.Sh OPTIONS
-.Bl -tag -width x
+.Bl -tag -width 2n
.It Fl v Ar verbosity
Be more or less verbose.
Default for
@@ 91,6 92,14 @@ sends EOF.
Transmit EOF by half-closing the TCP connection without using
.Ql close_notify .
This is the default.
+.It Fl J
+Make
+.Xr s6-tlsd-io 8
+exit with a nonzero code if the peer sends EOF without a
+.Ql close_notify
+first.
+.It Fl j
+Treat EOF from the peer as a normal exit condition.
.It Fl Y
Request an optional client certificate.
.It Fl y
@@ 147,7 156,7 @@ spawns a
.Xr s6-tlsd-io 8
program that does.
So it should pay attention to the following variables:
-.Bl -bullet -width x
+.Bl -bullet
.It
.Ev CERTFILE
and
@@ 204,7 213,7 @@ However,
.Ar prog...
is run with the following additional environment variables, following
the UCSPI-TLS protocol:
-.Bl -tag -width x
+.Bl -tag -width 2n
.It Ev SSLCTLFD
Contains the file descriptor number of the control socket.
.It Ev SSLREADFD
@@ 228,7 237,7 @@ command (as opposed to a
command), it will receive this information as a string sent over the
control socket.
.Sh EXIT STATUS
-.Bl -tag -width x
+.Bl -tag -width 2n
.It 100
Wrong usage.
.It 111