~flexibeast/s6-networking-man-pages

3267500d7f1325f4f1c468b79efa4e4149ed795b — Alexis 9 months ago f30089e v2.7.0.0.1
Update to s6-networking 2.7.0.0.
M man8/s6-tcpclient.8 => man8/s6-tcpclient.8 +19 -7
@@ 1,4 1,4 @@
.Dd November 11, 2023
.Dd November 20, 2023
.Dt S6-TCPCLIENT 8
.Os
.Sh NAME


@@ 10,7 10,8 @@
.Op Fl 4 | Fl 6
.Op Fl d | Fl D
.Op Fl r | Fl R
.Op Fl h | Fl H
.Op Fl h
.Op Fl H
.Op Fl n | Fl N
.Op Fl t Ar timeout
.Op Fl l Ar localname


@@ 53,7 54,7 @@ The first address to answer wins.
The connection attempt fails if no address in the list is able to
answer.
.Sh OPTIONS
.Bl -tag -width x
.Bl -tag -width 2n
.It Fl q
Be quiet.
.It Fl Q


@@ 92,10 93,21 @@ compatibility with legacy programs.
Do not use the IDENT protocol.
This is the default.
.It Fl h
Try and obtain the remote host name via DNS.
This is the default.
Consult the
.Pa /etc/hosts
database before performing DNS queries.
The default, when this option is not given, is to ignore
.Pa /etc/hosts .
The
.Fl H
option overrides
.Fl h
and voids any kind of lookup.
.It Fl H
Do not try and obtain the remote host name via DNS.
Do not try and obtain the local or remote host names via DNS.
The default, when this option is not given, is to look up the local
and remote host IPs in the DNS database to get the corresponding
names.
.It Fl n
Qualify
.Ar host


@@ 161,7 173,7 @@ is 58.
.Sh ENVIRONMENT
.Ar prog...
is run with the following variables set:
.Bl -tag -width x
.Bl -tag -width 2n
.It Ev PROTO
Always set to TCP.
.It Ev TCPREMOTEIP

M man8/s6-tcpserver-access.8 => man8/s6-tcpserver-access.8 +24 -10
@@ 1,4 1,4 @@
.Dd November 11, 2023
.Dd November 20, 2023
.Dt S6-TCPSERVER-ACCESS 8
.Os
.Sh NAME


@@ 9,7 9,8 @@
.Op Fl v Ar verbosity
.Op Fl W | Fl w
.Op Fl D | Fl d
.Op Fl H | Fl h
.Op Fl H
.Op Fl h
.Op Fl R | Fl r
.Op Fl P | Fl p
.Op Fl l Ar localname


@@ 64,7 65,7 @@ value.
.Nm
checks its client connection against a ruleset.
This ruleset can be implemented:
.Bl -bullet -width x
.Bl -bullet
.It
either in the filesystem as an arborescence of directories and files,
if the


@@ 115,7 116,7 @@ if
.Ar ip
is v6.
If the result is:
.Bl -tag -width x
.Bl -tag -width 2n
.It Dv S6_ACCESSRULES_ERROR
it immediately exits 111.
.It Dv S6_ACCESSRULES_DENY


@@ 198,10 199,10 @@ execs
into
.Ql execlineb -c Ar newprog .
.Sh OPTIONS
.Bl -tag -width x
.Bl -tag -width 2n
.It Fl v Ar verbosity
Be more or less verbose, i.e. print more or less information to stderr:
.Bl -tag -width x
.Bl -tag -width 2n
.It 0
Only log error messages.
.It 1


@@ 236,9 237,22 @@ Disable DNS lookups for the
and
.Ev ${PROTO}REMOTEHOST
environment variables.
The default, when this option is not given, is to try and read them
from DNS.
.It Fl h
Enable DNS lookups.
This is the default.
Consult
.Pa /etc/hosts
before DNS.
The default, when this option is not given, is to ignore
.Pa /etc/hosts .
Note 1: the
.Fl H
option overrides this one, no DNS lookups means that the hosts
database won't be consulted either.
Note 2: if a name is obtained via the hosts database instead of DNS,
any
.Fl p
checks will be disabled for it.
.It Fl R
Disable IDENT lookups for the
.Ev ${PROTO}REMOTEINFO


@@ 298,7 312,7 @@ performed.
.Nm
expects to inherit some environment variables from
its parent:
.Bl -tag -width x
.Bl -tag -width 2n
.It Ev PROTO
Normally TCP, but could be anything else.
.It Ev ${PROTO}LOCALIP


@@ 313,7 327,7 @@ The remote port of the socket.
.Pp
Additionally, it exports the following variables before executing into
.Ar prog... :
.Bl -tag -width x
.Bl -tag -width 2n
.It Ev ${PROTO}REMOTEIP
Via the IDENT protocol if the
.Fl r

M man8/s6-tcpserver.8 => man8/s6-tcpserver.8 +22 -6
@@ 1,4 1,4 @@
.Dd November 11, 2023
.Dd November 20, 2023
.Dt S6-TCPSERVER 8
.Os
.Sh NAME


@@ 58,7 58,7 @@ the
.Nm
is actually a wrapper that rewrites itself into a command line
running:
.Bl -bullet -width x
.Bl -bullet
.It
.Xr s6-tcpserver-socketbinder 8 ,
that binds the socket and listens to it.


@@ 87,8 87,23 @@ processes: one on
.Ql 0.0.0.0
and one on
.Ql :: .
.Pp
The option to make
.Nm
verbose is
.Ql -v ,
without an argument.
This is different from the
.Xr s6-tcpserverd 8
interface, where that would be
.Ql -v 2 .
The difference exists because
.Nm
follows the UCSPI tool[1] interface, whereas
.Xr s6-tcpserverd 8
has no such constraint.
.Ss Signals
.Bl -tag -width x
.Bl -tag -width 2n
.It Dv SIGTERM
Exit.
.It Dv SIGHUP


@@ 107,7 122,7 @@ to all children, then exit.
Send a SIGKILL to all children, then exit.
.El
.Sh OPTIONS
.Bl -tag -width x
.Bl -tag -width 2n
.It Fl q
Be quiet.
Only print fatal error messages to stderr.


@@ 169,7 184,8 @@ This is only valid when run as root.
.It Fl U
Change
.Nm Ap
s user id, group id and supplementary group list according to the values of the
s user id, group id and supplementary group list according to the
values of the
.Ev UID ,
.Ev GID
and


@@ 185,7 201,7 @@ then drops its privileges to those of a named non-root account.
For each connection, an instance of
.Ar prog...
is spawned with the following variables set:
.Bl -tag -width x
.Bl -tag -width 2n
.It Ev PROTO
Always set to TCP.
.It Ev TCPLOCALIP

M man8/s6-tcpserverd.8 => man8/s6-tcpserverd.8 +25 -4
@@ 1,4 1,4 @@
.Dd November 11, 2023
.Dd November 20, 2023
.Dt S6-TCPSERVERD 8
.Os
.Sh NAME


@@ 60,8 60,26 @@ from a fd-holding daemon
some people call this
.Dq socket activation
.Pc .
.Pp
The option to make
.Nm
verbose is
.Ql -v 2 ,
where the verbosity level is given as an argument, 0 being quiet, 1
normal and 2 verbose.
This is different from the
.Xr s6-tcpserver 8
interface, where
.Ql -v
without an argument would indicate extra verbosity.
The difference exists because
.Xr s6-tcpserver 8
follows the UCSPI tool[2] interface, whereas
.Nm
has no such constraint, and giving the verbosity level as a number is
a better interface.
.Ss Signals
.Bl -tag -width x
.Bl -tag -width 2n
.It Dv SIGTERM
Exit.
.It Dv SIGHUP


@@ 82,7 100,7 @@ Send a
to all children, then exit.
.El
.Sh OPTIONS
.Bl -tag -width x
.Bl -tag -width 2n
.It Fl 1
Write the local port, followed by newline, to stdout, and close
stdout, right before entering the client-accepting loop.


@@ 116,7 134,7 @@ It is impossible to set it higher than
For each connection, an instance of
.Ar prog...
is spawned with the following variables set:
.Bl -tag -width x
.Bl -tag -width 2n
.It Ev PROTO
Always set to TCP.
.It Ev TCPLOCALIP


@@ 141,6 159,9 @@ Set to the number of connections originating from the same IP address.
[1]
.Lk https://cr.yp.to/ucspi-tcp/tcpserver.html
.Pp
[2]
.Lk https://cr.yp.to/proto/ucspi.txt
.Pp
This man page is ported from the authoritative documentation at:
.Lk https://skarnet.org/software/s6-networking/s6-tcpserverd.html
.Sh AUTHORS

M man8/s6-tlsc-io.8 => man8/s6-tlsc-io.8 +33 -16
@@ 1,4 1,4 @@
.Dd September 29, 2021
.Dd November 20, 2023
.Dt S6-TLSC-IO 8
.Os
.Sh NAME


@@ 7,6 7,7 @@
.Sh SYNOPSIS
.Nm
.Op Fl S | Fl s
.Op Fl J | Fl j
.Op Fl Y | Fl y
.Op Fl v Ar verbosity
.Op Fl K Ar kimeout


@@ 27,20 28,25 @@ is provided by the chosen SSL backend: BearSSL[1] or LibreSSL[2],
depending on the options given when configuring s6-networking.
.Pp
.Nm
expects to have an open connection it can talk to on its standard
input and output.
It also expects to read cleartext data from file descriptor
expects to read cleartext data to stdin, and write cleartext data to
stdout.
It also expects descriptors
.Ar fdr
and write cleartext data to file descriptor
.Ar fdw .
and
.Ar fdw
to be open
.Po
typically connected to the network
.Pc ,
to respectively read ciphertext from and write ciphertext to.
.Pp
It initiates a TLS handshake over the network connection, expecting a
TLS server on the other side.
.Pp
Then it acts as a full duplex tunnel, decrypting and transmitting data
Then it acts as a full duplex tunnel, encrypting and transmitting data
from stdin to
.Ar fdw ,
and encrypting and transmitting data from
and decrypting and transmitting data from
.Ar fdr
to stdout.
.Pp


@@ 87,7 93,7 @@ If the local application initiates the end of the session by sending
EOF to
.Ar fdr ,
there are two ways for the TLS layer to handle it.
.Bl -enum -width x
.Bl -enum
.It
It can send a
.Ql close_notify


@@ 126,7 132,7 @@ force it to use the
.Ql close_notify
method if your application requires it to be secure.
.Sh OPTIONS
.Bl -tag -width x
.Bl -tag -width 2n
.It Fl v Ar verbosity
Be more or less verbose.
Default for


@@ 142,6 148,15 @@ alert and break the connection when receiving a local EOF.
Transmit EOF by half-closing the TCP connection without using
.Ql close_notify .
This is the default.
.It Fl J
Treat EOF from the peer without a prior
.Ql close_notify
as an error: print a fatal error message and exit 98.
.It Fl j
Treat EOF from the peer without a prior
.Ql close_notify
as a normal exit condition.
This is the default.
.It Fl Y
Do not send a client certificate.
This is the default.


@@ 152,11 167,13 @@ Use Server Name Indication, and send
.Ar servername .
The default is not to use SNI, which may be a security risk.
.It Fl K Ar kimeout
If the peer fails to send data for
If the handshake takes more than
.Ar kimeout
milliseconds during the handshake, close the connection.
The default is 0, which means infinite timeout (never kill the
connection).
milliseconds to complete, close the connection.
The default is 0, which means infinite timeout
.Po
never kill the connection
.Pc .
.It Fl d Ar notif
Handshake notification.
.Ar notif


@@ 189,7 206,7 @@ If both are set,
.Ev CADIR
has priority.
The value of that variable is:
.Bl -bullet -width x
.Bl -bullet
.It
for
.Ev CADIR :


@@ 231,7 248,7 @@ should drop its own root privileges by its own means: the
.Xr s6-applyuidgid 8
program is a chainloading way of doing it.
.Sh EXIT STATUS
.Bl -tag -width x
.Bl -tag -width 2n
.It 0
The connection terminated normally.
.It 96

M man8/s6-tlsc.8 => man8/s6-tlsc.8 +20 -9
@@ 1,4 1,4 @@
.Dd September 29, 2021
.Dd November 20, 2023
.Dt S6-TLSC 8
.Os
.Sh NAME


@@ 7,6 7,7 @@
.Sh SYNOPSIS
.Nm
.Op Fl S | Fl s
.Op Fl J | Fl j
.Op Fl Y | Fl y
.Op Fl Z | Fl z
.Op Fl v Ar verbosity


@@ 60,7 61,7 @@ and the server command line to
without changing the client or the server themselves, and the
communication between them will be secure.
.Sh OPTIONS
.Bl -tag -width x
.Bl -tag -width 2n
.It Fl v Ar verbosity
Be more or less verbose.
Default for


@@ 93,6 94,14 @@ sends EOF.
Transmit EOF by half-closing the TCP connection without using
.Ql close_notify .
This is the default.
.It Fl J
Make
.Xr s6-tlsc-io 8
exit with a nonzero code if the peer sends EOF without a
.Ql close_notify
first.
.It Fl j
Treat EOF from the peer as a normal exit condition.
.It Fl Y
Do not send a client certificate.
This is the default.


@@ 103,11 112,13 @@ Use Server Name Indication, and send
.Ar servername .
The default is not to use SNI, which may be a security risk.
.It Fl K Ar kimeout
If the peer fails to send data for
If the handshake takes more than
.Ar kimeout
milliseconds during the handshake, close the connection.
The default is 0, which means infinite timeout (never kill the
connection).
milliseconds to complete, close the connection.
The default is 0, which means infinite timeout
.Po
never kill the connection
.Pc .
.It Fl 6 Ar fdr
Expect an open file descriptor numbered
.Ar fdr


@@ 134,7 145,7 @@ does not expect to have any particular environment variables, but it spawns an
.Xr s6-tlsc-io 8
program that does.
So it should pay attention to the following variables:
.Bl -bullet -width x
.Bl -bullet
.It
.Ev CADIR
or


@@ 172,7 183,7 @@ option prevents that behaviour.
However,
.Ar prog...
is run with the following additional environment variables:
.Bl -tag -width x
.Bl -tag -width 2n
.It Ev SSL_PROTOCOL
Contains the protocol version: TLSv1, TLSv1.1, TLSv1.2...
.It Ev SSL_CIPHER


@@ 201,7 212,7 @@ of the certificate is the CN field in that data.
More similar environment variables containing information about the
connection may be added in the future.
.Sh EXIT STATUS
.Bl -tag -width x
.Bl -tag -width 2n
.It 100
Wrong usage.
.It 111

M man8/s6-tlsclient.8 => man8/s6-tlsclient.8 +20 -10
@@ 1,4 1,4 @@
.Dd November 11, 2023
.Dd November 20, 2023
.Dt S6-TLSCLIENT 8
.Os
.Sh NAME


@@ 18,7 18,7 @@ then executes into a program.
.Pp
.Nm
rewrites itself into a command line involving:
.Bl -bullet -width x
.Bl -bullet
.It
.Xr s6-tcpclient 8 ,
which establishes a TCP connection to host


@@ 73,7 73,7 @@ accepts a myriad of options, all of which are passed as is to the
correct executable.
Not giving any options will generally work: the defaults are sensible.
.Ss Options passed as-is to Xr s6-tcpclient 1
.Bl -tag -width x
.Bl -tag -width 2n
.It Fl q , Fl Q , Fl v
Be quiet, normally verbose, or verbose.
.It Fl 4 , Fl 6


@@ 82,10 82,14 @@ Stick to IPv4 or IPv6 addresses.
Enable or disable Nagle's algorithm.
.It Fl r , Fl R
Enable or disable IDENT lookup.
.It Fl h , Fl H
Enable or disable DNS lookups.
.It Fl H
Disable DNS lookups.
.It Fl h
Consult
.Pa /etc/hosts
before DNS.
.It Fl l Ar localname
Get the local name from the command line, not from a DNS lookup.
Get the local name from the command line, don't look it up.
.It Fl n , Fl N
Qualify the host or not when resolving it.
.It Fl t Ar timeout


@@ 96,13 100,19 @@ Force local socket parameters.
Configurable connection timeouts.
.El
.Ss Options passed as-is to Xr s6-tlsc 1
.Bl -tag -width x
.Bl -tag -width 2n
.It Fl Z , Fl z
Keep or remove the
.Xr s6-tlsc-io 8 Ns
-specific variables from the application's environment.
.It Fl S , Fl s
Use close_notify or EOF to signal the end of a TLS connection.
Use
.Ql close_notify
or EOF to signal the end of a TLS connection.
.It Fl J , Fl j
Exit nonzero with an error message when the peer fails to
.Ql close_notify ,
or ignore it.
.It Fl Y , Fl y
Don't send, or send, a client certificate.
.It Fl k Ar servername


@@ 116,7 126,7 @@ The following variables should be set before invoking
.Nm ,
because they will be used by
.Xr s6-tlsc-io 8 :
.Bl -tag -width x
.Bl -tag -width 2n
.It Ev CADIR
.It Ev CAFILE
(alternative to CADIR)


@@ 136,7 146,7 @@ Setting either CADIR or CAFILE is mandatory.
is run with the following variables added to, or removed from, its
environment by
.Xr s6-tcpclient 8 :
.Bl -tag -width x
.Bl -tag -width 2n
.It Ev PROTO
.It Ev TCPREMOTEIP
.It Ev TCPREMOTEPORT

M man8/s6-tlsd-io.8 => man8/s6-tlsd-io.8 +22 -10
@@ 1,4 1,4 @@
.Dd January 15, 2023
.Dd November 20, 2023
.Dt S6-TLSD-IO 8
.Os
.Sh NAME


@@ 8,6 8,7 @@ communicate with an existing local program over already established pipes
.Sh SYNOPSIS
.Nm
.Op Fl S | Fl s
.Op Fl J | Fl j
.Op Fl Y | Fl y
.Op Fl v Ar verbosity
.Op Fl K Ar kimeout


@@ 80,7 81,7 @@ If the local application initiates the end of the session by sending
EOF to
.Ar fdr ,
there are two ways for the TLS layer to handle it.
.Bl -bullet -width x
.Bl -bullet
.It
It can send a
.Ql close_notify


@@ 118,7 119,7 @@ option, you can force it to use the
.Ql close_notify
method if your application requires it to be secure.
.Sh OPTIONS
.Bl -tag -width x
.Bl -tag -width 2n
.It Fl v Ar verbosity
Be more or less verbose.
Default for


@@ 134,6 135,15 @@ alert and break the connection when receiving a local EOF.
Transmit EOF by half-closing the TCP connection without using
.Ql close_notify .
This is the default.
.It Fl J
Treat EOF from the peer without a prior
.Ql close_notify
as an error: print a fatal error message and exit 98.
.It Fl j
Treat EOF from the peer without a prior
.Ql close_notify
as a normal exit condition.
This is the default.
.It Fl Y
Request a client certificate.
The certificate is optional: if the client gives none, the connection


@@ 148,11 158,13 @@ nor the
.Fl y
option, is not to request a client certificate at all.
.It Fl K Ar kimeout
If the peer fails to send data for
If the handshake takes more than
.Ar kimeout
milliseconds during the handshake, close the connection.
The default is 0, which means infinite timeout (never kill the
connection).
milliseconds to complete, close the connection.
The default is 0, which means infinite timeout
.Po
never kill the connection
.Pc .
.It Fl k Ar snilevel
Support alternative certificate chains for SNI.
If


@@ 208,7 220,7 @@ If this option is not given, no such notification is performed.
.Sh ENVIRONMENT
.Nm
expects to have the following environment variables set:
.Bl -tag -width x
.Bl -tag -width 2n
.It Ev KEYFILE
A path to the file containing the server's private key, DER- or
PEM-encoded.


@@ 264,7 276,7 @@ expand the asterisks.
If you are using client certificates,
.Nm
also requires either one of the following variables to be set:
.Bl -tag -width x
.Bl -tag -width 2n
.It Ev CADIR
A directory where trust anchors (i.e. root or intermediate CA
certificates) can be found, one per file, DER- or PEM-encoded.


@@ 285,7 297,7 @@ private key file.
This ensures that the engine, including the handshake, is run with as
little privilege as possible.
.Sh EXIT STATUS
.Bl -tag -width x
.Bl -tag -width 2n
.It 0
The connection terminated normally.
.It 96

M man8/s6-tlsd.8 => man8/s6-tlsd.8 +20 -9
@@ 1,4 1,4 @@
.Dd January 15, 2023
.Dd November 20, 2023
.Dt S6-TLSD 8
.Os
.Sh NAME


@@ 7,6 7,7 @@
.Sh SYNOPSIS
.Nm
.Op Fl S | Fl s
.Op Fl J | Fl j
.Op Fl Y | Fl y
.Op Fl Z | Fl z
.Op Fl v Ar verbosity


@@ 65,7 66,7 @@ and the server command line to
without changing the client or the server themselves, and the
communication between them will be secure.
.Sh OPTIONS
.Bl -tag -width x
.Bl -tag -width 2n
.It Fl v Ar verbosity
Be more or less verbose.
Default for


@@ 98,6 99,14 @@ sends EOF.
Transmit EOF by half-closing the TCP connection without using
.Ql close_notify .
This is the default.
.It Fl J
Make
.Xr s6-tlsd-io 8
exit with a nonzero code if the peer sends EOF without a
.Ql close_notify
first.
.It Fl j
Treat EOF from the peer as a normal exit condition.
.It Fl Y
Request an optional client certificate.
.It Fl y


@@ 108,11 117,13 @@ nor the
.Fl y
option, is not to request a client certificate at all.
.It Fl K Ar kimeout
If the peer fails to send data for
If the handshake takes more than
.Ar kimeout
milliseconds during the handshake, close the connection.
The default is 0, which means infinite timeout (never kill the
connection).
milliseconds to complete, close the connection.
The default is 0, which means infinite timeout
.Po
never kill the connection
.Pc .
.It Fl k Ar snilevel
Support alternative certificate chains for SNI.
If


@@ 154,7 165,7 @@ spawns an
.Xr s6-tlsd-io 8
program that does.
So it should pay attention to the following variables:
.Bl -bullet -width x
.Bl -bullet
.It
.Ev KEYFILE
and


@@ 212,7 223,7 @@ as well.
However,
.Ar prog...
is run with the following additional environment variables:
.Bl -tag -width x
.Bl -tag -width 2n
.It Ev SSL_PROTOCOL
Contains the protocol version: TLSv1, TLSv1.1, TLSv1.2...
.It Ev SSL_CIPHER


@@ 239,7 250,7 @@ of the certificate is the CN field in that data.
More similar environment variables containing information about the
connection may be added in the future.
.Sh EXIT STATUS
.Bl -tag -width x
.Bl -tag -width 2n
.It 100
Wrong usage.
.It 111

M man8/s6-tlsserver.8 => man8/s6-tlsserver.8 +22 -12
@@ 1,4 1,4 @@
.Dd November 11, 2023
.Dd November 20, 2023
.Dt S6-TLSSERVER 8
.Os
.Sh NAME


@@ 19,7 19,7 @@ executes into a program.
.Pp
.Nm
rewrites itself into a command line involving:
.Bl -bullet -width x
.Bl -bullet
.It
.Xr s6-tcpserver 8 ,
which listens to TCP connections on IP address


@@ 84,7 84,7 @@ a very public server (such as a Web server) or base your access
control on client certificates, you probably still want TCP access
rules.
.Ss Options passed as-is to Xr s6-tcpserver 1
.Bl -tag -width x
.Bl -tag -width 2n
.It Fl q , Fl Q , Fl v
.It Fl 1
.It Fl c Ar maxconn


@@ 92,7 92,7 @@ rules.
.It Fl b Ar backlog
.El
.Ss Options passed as-is to Xr s6-tcpserver-access 1
.Bl -tag -width x
.Bl -tag -width 2n
.It Fl v0 , Fl v2
The verbosity level.
.It Fl w , Fl W


@@ 103,10 103,14 @@ Enable or disable Nagle's algorithm.
Enable or disable IDENT lookups.
.It Fl p , Fl P
Enable or disable paranoid DNS cross-checking.
.It Fl h , Fl H
Enable or disable DNS lookups.
.It Fl H
Disable DNS lookups.
.It Fl h
Consult
.Pa /etc/hosts
before DNS.
.It Fl l Ar localname
Get the local name from the command line, not from DNS.
Get the local name from the command line, don't look it up.
.It Fl B Ar banner
Initial server-side banner.
.It Fl t Ar timeout


@@ 115,13 119,19 @@ Set a timeout for all the lookups.
TCP access control.
.El
.Ss Options passed as-is to Xr s6-tlsd 1
.Bl -tag -width x
.Bl -tag -width 2n
.It Fl Z , Fl z
Keep or remove the
.Xr s6-tlsd-io 8 Ns
-specific variables from the application's environment.
.It Fl S , Fl s
Use close_notify or EOF to signal the end of a TLS connection.
Use
.Ql close_notify
or EOF to signal the end of a TLS connection.
.It Fl J , Fl j
Exit nonzero with an error message when the peer fails to
.Ql close_notify ,
or ignore it.
.It Fl Y , Fl y
Request an optional or a mandatory client certificate.
.It Fl K Ar kimeout


@@ 130,7 140,7 @@ Set a timeout for the TLS handshake.
Support SNI-based certificate chains.
.El
.Ss Options passed to s6-applyuidgid
.Bl -tag -width x
.Bl -tag -width 2n
.It Fl u Ar uid , Fl g Ar gid , Fl G Ar gidlist
Set uid, gid, or supplementary group list.
.It Fl U Po passed as Fl Uz Pc


@@ 149,7 159,7 @@ because they will be used by
every
.Xr s6-tlsd 8
invocation:
.Bl -tag -width x
.Bl -tag -width 2n
.It Ev KEYFILE
.It Ev CERTFILE
.It Ev TLS_UID and Ev TLS_GI


@@ 177,7 187,7 @@ or removed from, its environment by
.Xr s6-tcpserverd 8
and possibly by
.Xr s6-tcpserver-access 8 :
.Bl -tag -width x
.Bl -tag -width 2n
.It Ev PROTO
.It Ev TCPREMOTEIP
.It Ev TCPREMOTEPORT

M man8/s6-ucspitlsc.8 => man8/s6-ucspitlsc.8 +14 -5
@@ 1,4 1,4 @@
.Dd September 29, 2021
.Dd November 20, 2023
.Dt S6-UCSPITLSC 8
.Os
.Sh NAME


@@ 7,6 7,7 @@
.Sh SYNOPSIS
.Nm
.Op Fl S | Fl s
.Op Fl J | Fl j
.Op Fl Y | Fl y
.Op Fl Z | Fl z
.Op Fl v Ar verbosity


@@ 56,7 57,7 @@ If it does not, you will not be able to secure your connection, and
what you need is a regular immediate TLS program instead, which means
.Xr s6-tlsc 8 .
.Sh OPTIONS
.Bl -tag -width x
.Bl -tag -width 2n
.It Fl v Ar verbosity
Be more or less verbose.
Default for


@@ 88,6 89,14 @@ sends EOF.
Transmit EOF by half-closing the TCP connection without using
.Ql close_notify .
This is the default.
.It Fl J
Make
.Xr s6-tlsc-io 8
exit with a nonzero code if the peer sends EOF without a
.Ql close_notify
first.
.It Fl j
Treat EOF from the peer as a normal exit condition.
.It Fl Y
Do not send a client certificate.
This is the default.


@@ 130,7 139,7 @@ spawns a
.Xr s6-tlsc-io 8
program that does.
So it should pay attention to the following variables:
.Bl -bullet -width x
.Bl -bullet
.It
.Ev CADIR
or


@@ 171,7 180,7 @@ However,
.Ar prog...
is run with the following additional environment variables, following
the UCSPI-TLS protocol:
.Bl -tag -width x
.Bl -tag -width 2n
.It Ev SSLCTLFD
Contains the file descriptor number of the control socket.
.It Ev SSLREADFD


@@ 195,7 204,7 @@ command (as opposed to a
command), it will receive this information as a string sent over the
control socket.
.Sh EXIT STATUS
.Bl -tag -width x
.Bl -tag -width 2n
.It 100
Wrong usage.
.It 111

M man8/s6-ucspitlsd.8 => man8/s6-ucspitlsd.8 +14 -5
@@ 1,4 1,4 @@
.Dd January 15, 2023
.Dd November 20, 2023
.Dt S6-UCSPITLSD 8
.Os
.Sh NAME


@@ 9,6 9,7 @@ then execs into an application
.Sh SYNOPSIS
.Nm
.Op Fl S | Fl s
.Op Fl J | Fl j
.Op Fl Y | Fl y
.Op Fl Z | Fl z
.Op Fl v Ar verbosity


@@ 59,7 60,7 @@ If it does not, you will not be able to secure your connection, and
what you need is a regular immediate TLS program instead, which means
.Xr s6-tlsd 8 .
.Sh OPTIONS
.Bl -tag -width x
.Bl -tag -width 2n
.It Fl v Ar verbosity
Be more or less verbose.
Default for


@@ 91,6 92,14 @@ sends EOF.
Transmit EOF by half-closing the TCP connection without using
.Ql close_notify .
This is the default.
.It Fl J
Make
.Xr s6-tlsd-io 8
exit with a nonzero code if the peer sends EOF without a
.Ql close_notify
first.
.It Fl j
Treat EOF from the peer as a normal exit condition.
.It Fl Y
Request an optional client certificate.
.It Fl y


@@ 147,7 156,7 @@ spawns a
.Xr s6-tlsd-io 8
program that does.
So it should pay attention to the following variables:
.Bl -bullet -width x
.Bl -bullet
.It
.Ev CERTFILE
and


@@ 204,7 213,7 @@ However,
.Ar prog...
is run with the following additional environment variables, following
the UCSPI-TLS protocol:
.Bl -tag -width x
.Bl -tag -width 2n
.It Ev SSLCTLFD
Contains the file descriptor number of the control socket.
.It Ev SSLREADFD


@@ 228,7 237,7 @@ command (as opposed to a
command), it will receive this information as a string sent over the
control socket.
.Sh EXIT STATUS
.Bl -tag -width x
.Bl -tag -width 2n
.It 100
Wrong usage.
.It 111