From 3267500d7f1325f4f1c468b79efa4e4149ed795b Mon Sep 17 00:00:00 2001 From: Alexis Date: Mon, 20 Nov 2023 21:50:43 +1100 Subject: [PATCH] Update to s6-networking 2.7.0.0. --- man8/s6-tcpclient.8 | 26 ++++++++++++++------ man8/s6-tcpserver-access.8 | 34 ++++++++++++++++++-------- man8/s6-tcpserver.8 | 28 +++++++++++++++++----- man8/s6-tcpserverd.8 | 29 ++++++++++++++++++---- man8/s6-tlsc-io.8 | 49 +++++++++++++++++++++++++------------- man8/s6-tlsc.8 | 29 +++++++++++++++------- man8/s6-tlsclient.8 | 30 +++++++++++++++-------- man8/s6-tlsd-io.8 | 32 +++++++++++++++++-------- man8/s6-tlsd.8 | 29 +++++++++++++++------- man8/s6-tlsserver.8 | 34 ++++++++++++++++---------- man8/s6-ucspitlsc.8 | 19 +++++++++++---- man8/s6-ucspitlsd.8 | 19 +++++++++++---- 12 files changed, 255 insertions(+), 103 deletions(-) diff --git a/man8/s6-tcpclient.8 b/man8/s6-tcpclient.8 index 051c578..896f36a 100644 --- a/man8/s6-tcpclient.8 +++ b/man8/s6-tcpclient.8 @@ -1,4 +1,4 @@ -.Dd November 11, 2023 +.Dd November 20, 2023 .Dt S6-TCPCLIENT 8 .Os .Sh NAME @@ -10,7 +10,8 @@ .Op Fl 4 | Fl 6 .Op Fl d | Fl D .Op Fl r | Fl R -.Op Fl h | Fl H +.Op Fl h +.Op Fl H .Op Fl n | Fl N .Op Fl t Ar timeout .Op Fl l Ar localname @@ -53,7 +54,7 @@ The first address to answer wins. The connection attempt fails if no address in the list is able to answer. .Sh OPTIONS -.Bl -tag -width x +.Bl -tag -width 2n .It Fl q Be quiet. .It Fl Q @@ -92,10 +93,21 @@ compatibility with legacy programs. Do not use the IDENT protocol. This is the default. .It Fl h -Try and obtain the remote host name via DNS. -This is the default. +Consult the +.Pa /etc/hosts +database before performing DNS queries. +The default, when this option is not given, is to ignore +.Pa /etc/hosts . +The +.Fl H +option overrides +.Fl h +and voids any kind of lookup. .It Fl H -Do not try and obtain the remote host name via DNS. +Do not try and obtain the local or remote host names via DNS. +The default, when this option is not given, is to look up the local +and remote host IPs in the DNS database to get the corresponding +names. .It Fl n Qualify .Ar host @@ -161,7 +173,7 @@ is 58. .Sh ENVIRONMENT .Ar prog... is run with the following variables set: -.Bl -tag -width x +.Bl -tag -width 2n .It Ev PROTO Always set to TCP. .It Ev TCPREMOTEIP diff --git a/man8/s6-tcpserver-access.8 b/man8/s6-tcpserver-access.8 index e46469d..81fc9cd 100644 --- a/man8/s6-tcpserver-access.8 +++ b/man8/s6-tcpserver-access.8 @@ -1,4 +1,4 @@ -.Dd November 11, 2023 +.Dd November 20, 2023 .Dt S6-TCPSERVER-ACCESS 8 .Os .Sh NAME @@ -9,7 +9,8 @@ .Op Fl v Ar verbosity .Op Fl W | Fl w .Op Fl D | Fl d -.Op Fl H | Fl h +.Op Fl H +.Op Fl h .Op Fl R | Fl r .Op Fl P | Fl p .Op Fl l Ar localname @@ -64,7 +65,7 @@ value. .Nm checks its client connection against a ruleset. This ruleset can be implemented: -.Bl -bullet -width x +.Bl -bullet .It either in the filesystem as an arborescence of directories and files, if the @@ -115,7 +116,7 @@ if .Ar ip is v6. If the result is: -.Bl -tag -width x +.Bl -tag -width 2n .It Dv S6_ACCESSRULES_ERROR it immediately exits 111. .It Dv S6_ACCESSRULES_DENY @@ -198,10 +199,10 @@ execs into .Ql execlineb -c Ar newprog . .Sh OPTIONS -.Bl -tag -width x +.Bl -tag -width 2n .It Fl v Ar verbosity Be more or less verbose, i.e. print more or less information to stderr: -.Bl -tag -width x +.Bl -tag -width 2n .It 0 Only log error messages. .It 1 @@ -236,9 +237,22 @@ Disable DNS lookups for the and .Ev ${PROTO}REMOTEHOST environment variables. +The default, when this option is not given, is to try and read them +from DNS. .It Fl h -Enable DNS lookups. -This is the default. +Consult +.Pa /etc/hosts +before DNS. +The default, when this option is not given, is to ignore +.Pa /etc/hosts . +Note 1: the +.Fl H +option overrides this one, no DNS lookups means that the hosts +database won't be consulted either. +Note 2: if a name is obtained via the hosts database instead of DNS, +any +.Fl p +checks will be disabled for it. .It Fl R Disable IDENT lookups for the .Ev ${PROTO}REMOTEINFO @@ -298,7 +312,7 @@ performed. .Nm expects to inherit some environment variables from its parent: -.Bl -tag -width x +.Bl -tag -width 2n .It Ev PROTO Normally TCP, but could be anything else. .It Ev ${PROTO}LOCALIP @@ -313,7 +327,7 @@ The remote port of the socket. .Pp Additionally, it exports the following variables before executing into .Ar prog... : -.Bl -tag -width x +.Bl -tag -width 2n .It Ev ${PROTO}REMOTEIP Via the IDENT protocol if the .Fl r diff --git a/man8/s6-tcpserver.8 b/man8/s6-tcpserver.8 index 4faf811..aaf3809 100644 --- a/man8/s6-tcpserver.8 +++ b/man8/s6-tcpserver.8 @@ -1,4 +1,4 @@ -.Dd November 11, 2023 +.Dd November 20, 2023 .Dt S6-TCPSERVER 8 .Os .Sh NAME @@ -58,7 +58,7 @@ the .Nm is actually a wrapper that rewrites itself into a command line running: -.Bl -bullet -width x +.Bl -bullet .It .Xr s6-tcpserver-socketbinder 8 , that binds the socket and listens to it. @@ -87,8 +87,23 @@ processes: one on .Ql 0.0.0.0 and one on .Ql :: . +.Pp +The option to make +.Nm +verbose is +.Ql -v , +without an argument. +This is different from the +.Xr s6-tcpserverd 8 +interface, where that would be +.Ql -v 2 . +The difference exists because +.Nm +follows the UCSPI tool[1] interface, whereas +.Xr s6-tcpserverd 8 +has no such constraint. .Ss Signals -.Bl -tag -width x +.Bl -tag -width 2n .It Dv SIGTERM Exit. .It Dv SIGHUP @@ -107,7 +122,7 @@ to all children, then exit. Send a SIGKILL to all children, then exit. .El .Sh OPTIONS -.Bl -tag -width x +.Bl -tag -width 2n .It Fl q Be quiet. Only print fatal error messages to stderr. @@ -169,7 +184,8 @@ This is only valid when run as root. .It Fl U Change .Nm Ap -s user id, group id and supplementary group list according to the values of the +s user id, group id and supplementary group list according to the +values of the .Ev UID , .Ev GID and @@ -185,7 +201,7 @@ then drops its privileges to those of a named non-root account. For each connection, an instance of .Ar prog... is spawned with the following variables set: -.Bl -tag -width x +.Bl -tag -width 2n .It Ev PROTO Always set to TCP. .It Ev TCPLOCALIP diff --git a/man8/s6-tcpserverd.8 b/man8/s6-tcpserverd.8 index c3d3ccd..3d3a65f 100644 --- a/man8/s6-tcpserverd.8 +++ b/man8/s6-tcpserverd.8 @@ -1,4 +1,4 @@ -.Dd November 11, 2023 +.Dd November 20, 2023 .Dt S6-TCPSERVERD 8 .Os .Sh NAME @@ -60,8 +60,26 @@ from a fd-holding daemon some people call this .Dq socket activation .Pc . +.Pp +The option to make +.Nm +verbose is +.Ql -v 2 , +where the verbosity level is given as an argument, 0 being quiet, 1 +normal and 2 verbose. +This is different from the +.Xr s6-tcpserver 8 +interface, where +.Ql -v +without an argument would indicate extra verbosity. +The difference exists because +.Xr s6-tcpserver 8 +follows the UCSPI tool[2] interface, whereas +.Nm +has no such constraint, and giving the verbosity level as a number is +a better interface. .Ss Signals -.Bl -tag -width x +.Bl -tag -width 2n .It Dv SIGTERM Exit. .It Dv SIGHUP @@ -82,7 +100,7 @@ Send a to all children, then exit. .El .Sh OPTIONS -.Bl -tag -width x +.Bl -tag -width 2n .It Fl 1 Write the local port, followed by newline, to stdout, and close stdout, right before entering the client-accepting loop. @@ -116,7 +134,7 @@ It is impossible to set it higher than For each connection, an instance of .Ar prog... is spawned with the following variables set: -.Bl -tag -width x +.Bl -tag -width 2n .It Ev PROTO Always set to TCP. .It Ev TCPLOCALIP @@ -141,6 +159,9 @@ Set to the number of connections originating from the same IP address. [1] .Lk https://cr.yp.to/ucspi-tcp/tcpserver.html .Pp +[2] +.Lk https://cr.yp.to/proto/ucspi.txt +.Pp This man page is ported from the authoritative documentation at: .Lk https://skarnet.org/software/s6-networking/s6-tcpserverd.html .Sh AUTHORS diff --git a/man8/s6-tlsc-io.8 b/man8/s6-tlsc-io.8 index 303e9fa..9eb074e 100644 --- a/man8/s6-tlsc-io.8 +++ b/man8/s6-tlsc-io.8 @@ -1,4 +1,4 @@ -.Dd September 29, 2021 +.Dd November 20, 2023 .Dt S6-TLSC-IO 8 .Os .Sh NAME @@ -7,6 +7,7 @@ .Sh SYNOPSIS .Nm .Op Fl S | Fl s +.Op Fl J | Fl j .Op Fl Y | Fl y .Op Fl v Ar verbosity .Op Fl K Ar kimeout @@ -27,20 +28,25 @@ is provided by the chosen SSL backend: BearSSL[1] or LibreSSL[2], depending on the options given when configuring s6-networking. .Pp .Nm -expects to have an open connection it can talk to on its standard -input and output. -It also expects to read cleartext data from file descriptor +expects to read cleartext data to stdin, and write cleartext data to +stdout. +It also expects descriptors .Ar fdr -and write cleartext data to file descriptor -.Ar fdw . +and +.Ar fdw +to be open +.Po +typically connected to the network +.Pc , +to respectively read ciphertext from and write ciphertext to. .Pp It initiates a TLS handshake over the network connection, expecting a TLS server on the other side. .Pp -Then it acts as a full duplex tunnel, decrypting and transmitting data +Then it acts as a full duplex tunnel, encrypting and transmitting data from stdin to .Ar fdw , -and encrypting and transmitting data from +and decrypting and transmitting data from .Ar fdr to stdout. .Pp @@ -87,7 +93,7 @@ If the local application initiates the end of the session by sending EOF to .Ar fdr , there are two ways for the TLS layer to handle it. -.Bl -enum -width x +.Bl -enum .It It can send a .Ql close_notify @@ -126,7 +132,7 @@ force it to use the .Ql close_notify method if your application requires it to be secure. .Sh OPTIONS -.Bl -tag -width x +.Bl -tag -width 2n .It Fl v Ar verbosity Be more or less verbose. Default for @@ -142,6 +148,15 @@ alert and break the connection when receiving a local EOF. Transmit EOF by half-closing the TCP connection without using .Ql close_notify . This is the default. +.It Fl J +Treat EOF from the peer without a prior +.Ql close_notify +as an error: print a fatal error message and exit 98. +.It Fl j +Treat EOF from the peer without a prior +.Ql close_notify +as a normal exit condition. +This is the default. .It Fl Y Do not send a client certificate. This is the default. @@ -152,11 +167,13 @@ Use Server Name Indication, and send .Ar servername . The default is not to use SNI, which may be a security risk. .It Fl K Ar kimeout -If the peer fails to send data for +If the handshake takes more than .Ar kimeout -milliseconds during the handshake, close the connection. -The default is 0, which means infinite timeout (never kill the -connection). +milliseconds to complete, close the connection. +The default is 0, which means infinite timeout +.Po +never kill the connection +.Pc . .It Fl d Ar notif Handshake notification. .Ar notif @@ -189,7 +206,7 @@ If both are set, .Ev CADIR has priority. The value of that variable is: -.Bl -bullet -width x +.Bl -bullet .It for .Ev CADIR : @@ -231,7 +248,7 @@ should drop its own root privileges by its own means: the .Xr s6-applyuidgid 8 program is a chainloading way of doing it. .Sh EXIT STATUS -.Bl -tag -width x +.Bl -tag -width 2n .It 0 The connection terminated normally. .It 96 diff --git a/man8/s6-tlsc.8 b/man8/s6-tlsc.8 index 2960a0c..8bb6fe3 100644 --- a/man8/s6-tlsc.8 +++ b/man8/s6-tlsc.8 @@ -1,4 +1,4 @@ -.Dd September 29, 2021 +.Dd November 20, 2023 .Dt S6-TLSC 8 .Os .Sh NAME @@ -7,6 +7,7 @@ .Sh SYNOPSIS .Nm .Op Fl S | Fl s +.Op Fl J | Fl j .Op Fl Y | Fl y .Op Fl Z | Fl z .Op Fl v Ar verbosity @@ -60,7 +61,7 @@ and the server command line to without changing the client or the server themselves, and the communication between them will be secure. .Sh OPTIONS -.Bl -tag -width x +.Bl -tag -width 2n .It Fl v Ar verbosity Be more or less verbose. Default for @@ -93,6 +94,14 @@ sends EOF. Transmit EOF by half-closing the TCP connection without using .Ql close_notify . This is the default. +.It Fl J +Make +.Xr s6-tlsc-io 8 +exit with a nonzero code if the peer sends EOF without a +.Ql close_notify +first. +.It Fl j +Treat EOF from the peer as a normal exit condition. .It Fl Y Do not send a client certificate. This is the default. @@ -103,11 +112,13 @@ Use Server Name Indication, and send .Ar servername . The default is not to use SNI, which may be a security risk. .It Fl K Ar kimeout -If the peer fails to send data for +If the handshake takes more than .Ar kimeout -milliseconds during the handshake, close the connection. -The default is 0, which means infinite timeout (never kill the -connection). +milliseconds to complete, close the connection. +The default is 0, which means infinite timeout +.Po +never kill the connection +.Pc . .It Fl 6 Ar fdr Expect an open file descriptor numbered .Ar fdr @@ -134,7 +145,7 @@ does not expect to have any particular environment variables, but it spawns an .Xr s6-tlsc-io 8 program that does. So it should pay attention to the following variables: -.Bl -bullet -width x +.Bl -bullet .It .Ev CADIR or @@ -172,7 +183,7 @@ option prevents that behaviour. However, .Ar prog... is run with the following additional environment variables: -.Bl -tag -width x +.Bl -tag -width 2n .It Ev SSL_PROTOCOL Contains the protocol version: TLSv1, TLSv1.1, TLSv1.2... .It Ev SSL_CIPHER @@ -201,7 +212,7 @@ of the certificate is the CN field in that data. More similar environment variables containing information about the connection may be added in the future. .Sh EXIT STATUS -.Bl -tag -width x +.Bl -tag -width 2n .It 100 Wrong usage. .It 111 diff --git a/man8/s6-tlsclient.8 b/man8/s6-tlsclient.8 index ab8fd34..50ca590 100644 --- a/man8/s6-tlsclient.8 +++ b/man8/s6-tlsclient.8 @@ -1,4 +1,4 @@ -.Dd November 11, 2023 +.Dd November 20, 2023 .Dt S6-TLSCLIENT 8 .Os .Sh NAME @@ -18,7 +18,7 @@ then executes into a program. .Pp .Nm rewrites itself into a command line involving: -.Bl -bullet -width x +.Bl -bullet .It .Xr s6-tcpclient 8 , which establishes a TCP connection to host @@ -73,7 +73,7 @@ accepts a myriad of options, all of which are passed as is to the correct executable. Not giving any options will generally work: the defaults are sensible. .Ss Options passed as-is to Xr s6-tcpclient 1 -.Bl -tag -width x +.Bl -tag -width 2n .It Fl q , Fl Q , Fl v Be quiet, normally verbose, or verbose. .It Fl 4 , Fl 6 @@ -82,10 +82,14 @@ Stick to IPv4 or IPv6 addresses. Enable or disable Nagle's algorithm. .It Fl r , Fl R Enable or disable IDENT lookup. -.It Fl h , Fl H -Enable or disable DNS lookups. +.It Fl H +Disable DNS lookups. +.It Fl h +Consult +.Pa /etc/hosts +before DNS. .It Fl l Ar localname -Get the local name from the command line, not from a DNS lookup. +Get the local name from the command line, don't look it up. .It Fl n , Fl N Qualify the host or not when resolving it. .It Fl t Ar timeout @@ -96,13 +100,19 @@ Force local socket parameters. Configurable connection timeouts. .El .Ss Options passed as-is to Xr s6-tlsc 1 -.Bl -tag -width x +.Bl -tag -width 2n .It Fl Z , Fl z Keep or remove the .Xr s6-tlsc-io 8 Ns -specific variables from the application's environment. .It Fl S , Fl s -Use close_notify or EOF to signal the end of a TLS connection. +Use +.Ql close_notify +or EOF to signal the end of a TLS connection. +.It Fl J , Fl j +Exit nonzero with an error message when the peer fails to +.Ql close_notify , +or ignore it. .It Fl Y , Fl y Don't send, or send, a client certificate. .It Fl k Ar servername @@ -116,7 +126,7 @@ The following variables should be set before invoking .Nm , because they will be used by .Xr s6-tlsc-io 8 : -.Bl -tag -width x +.Bl -tag -width 2n .It Ev CADIR .It Ev CAFILE (alternative to CADIR) @@ -136,7 +146,7 @@ Setting either CADIR or CAFILE is mandatory. is run with the following variables added to, or removed from, its environment by .Xr s6-tcpclient 8 : -.Bl -tag -width x +.Bl -tag -width 2n .It Ev PROTO .It Ev TCPREMOTEIP .It Ev TCPREMOTEPORT diff --git a/man8/s6-tlsd-io.8 b/man8/s6-tlsd-io.8 index 3189c1b..6829fab 100644 --- a/man8/s6-tlsd-io.8 +++ b/man8/s6-tlsd-io.8 @@ -1,4 +1,4 @@ -.Dd January 15, 2023 +.Dd November 20, 2023 .Dt S6-TLSD-IO 8 .Os .Sh NAME @@ -8,6 +8,7 @@ communicate with an existing local program over already established pipes .Sh SYNOPSIS .Nm .Op Fl S | Fl s +.Op Fl J | Fl j .Op Fl Y | Fl y .Op Fl v Ar verbosity .Op Fl K Ar kimeout @@ -80,7 +81,7 @@ If the local application initiates the end of the session by sending EOF to .Ar fdr , there are two ways for the TLS layer to handle it. -.Bl -bullet -width x +.Bl -bullet .It It can send a .Ql close_notify @@ -118,7 +119,7 @@ option, you can force it to use the .Ql close_notify method if your application requires it to be secure. .Sh OPTIONS -.Bl -tag -width x +.Bl -tag -width 2n .It Fl v Ar verbosity Be more or less verbose. Default for @@ -134,6 +135,15 @@ alert and break the connection when receiving a local EOF. Transmit EOF by half-closing the TCP connection without using .Ql close_notify . This is the default. +.It Fl J +Treat EOF from the peer without a prior +.Ql close_notify +as an error: print a fatal error message and exit 98. +.It Fl j +Treat EOF from the peer without a prior +.Ql close_notify +as a normal exit condition. +This is the default. .It Fl Y Request a client certificate. The certificate is optional: if the client gives none, the connection @@ -148,11 +158,13 @@ nor the .Fl y option, is not to request a client certificate at all. .It Fl K Ar kimeout -If the peer fails to send data for +If the handshake takes more than .Ar kimeout -milliseconds during the handshake, close the connection. -The default is 0, which means infinite timeout (never kill the -connection). +milliseconds to complete, close the connection. +The default is 0, which means infinite timeout +.Po +never kill the connection +.Pc . .It Fl k Ar snilevel Support alternative certificate chains for SNI. If @@ -208,7 +220,7 @@ If this option is not given, no such notification is performed. .Sh ENVIRONMENT .Nm expects to have the following environment variables set: -.Bl -tag -width x +.Bl -tag -width 2n .It Ev KEYFILE A path to the file containing the server's private key, DER- or PEM-encoded. @@ -264,7 +276,7 @@ expand the asterisks. If you are using client certificates, .Nm also requires either one of the following variables to be set: -.Bl -tag -width x +.Bl -tag -width 2n .It Ev CADIR A directory where trust anchors (i.e. root or intermediate CA certificates) can be found, one per file, DER- or PEM-encoded. @@ -285,7 +297,7 @@ private key file. This ensures that the engine, including the handshake, is run with as little privilege as possible. .Sh EXIT STATUS -.Bl -tag -width x +.Bl -tag -width 2n .It 0 The connection terminated normally. .It 96 diff --git a/man8/s6-tlsd.8 b/man8/s6-tlsd.8 index 776b4b3..35a9bb0 100644 --- a/man8/s6-tlsd.8 +++ b/man8/s6-tlsd.8 @@ -1,4 +1,4 @@ -.Dd January 15, 2023 +.Dd November 20, 2023 .Dt S6-TLSD 8 .Os .Sh NAME @@ -7,6 +7,7 @@ .Sh SYNOPSIS .Nm .Op Fl S | Fl s +.Op Fl J | Fl j .Op Fl Y | Fl y .Op Fl Z | Fl z .Op Fl v Ar verbosity @@ -65,7 +66,7 @@ and the server command line to without changing the client or the server themselves, and the communication between them will be secure. .Sh OPTIONS -.Bl -tag -width x +.Bl -tag -width 2n .It Fl v Ar verbosity Be more or less verbose. Default for @@ -98,6 +99,14 @@ sends EOF. Transmit EOF by half-closing the TCP connection without using .Ql close_notify . This is the default. +.It Fl J +Make +.Xr s6-tlsd-io 8 +exit with a nonzero code if the peer sends EOF without a +.Ql close_notify +first. +.It Fl j +Treat EOF from the peer as a normal exit condition. .It Fl Y Request an optional client certificate. .It Fl y @@ -108,11 +117,13 @@ nor the .Fl y option, is not to request a client certificate at all. .It Fl K Ar kimeout -If the peer fails to send data for +If the handshake takes more than .Ar kimeout -milliseconds during the handshake, close the connection. -The default is 0, which means infinite timeout (never kill the -connection). +milliseconds to complete, close the connection. +The default is 0, which means infinite timeout +.Po +never kill the connection +.Pc . .It Fl k Ar snilevel Support alternative certificate chains for SNI. If @@ -154,7 +165,7 @@ spawns an .Xr s6-tlsd-io 8 program that does. So it should pay attention to the following variables: -.Bl -bullet -width x +.Bl -bullet .It .Ev KEYFILE and @@ -212,7 +223,7 @@ as well. However, .Ar prog... is run with the following additional environment variables: -.Bl -tag -width x +.Bl -tag -width 2n .It Ev SSL_PROTOCOL Contains the protocol version: TLSv1, TLSv1.1, TLSv1.2... .It Ev SSL_CIPHER @@ -239,7 +250,7 @@ of the certificate is the CN field in that data. More similar environment variables containing information about the connection may be added in the future. .Sh EXIT STATUS -.Bl -tag -width x +.Bl -tag -width 2n .It 100 Wrong usage. .It 111 diff --git a/man8/s6-tlsserver.8 b/man8/s6-tlsserver.8 index 0dcb731..d35fc25 100644 --- a/man8/s6-tlsserver.8 +++ b/man8/s6-tlsserver.8 @@ -1,4 +1,4 @@ -.Dd November 11, 2023 +.Dd November 20, 2023 .Dt S6-TLSSERVER 8 .Os .Sh NAME @@ -19,7 +19,7 @@ executes into a program. .Pp .Nm rewrites itself into a command line involving: -.Bl -bullet -width x +.Bl -bullet .It .Xr s6-tcpserver 8 , which listens to TCP connections on IP address @@ -84,7 +84,7 @@ a very public server (such as a Web server) or base your access control on client certificates, you probably still want TCP access rules. .Ss Options passed as-is to Xr s6-tcpserver 1 -.Bl -tag -width x +.Bl -tag -width 2n .It Fl q , Fl Q , Fl v .It Fl 1 .It Fl c Ar maxconn @@ -92,7 +92,7 @@ rules. .It Fl b Ar backlog .El .Ss Options passed as-is to Xr s6-tcpserver-access 1 -.Bl -tag -width x +.Bl -tag -width 2n .It Fl v0 , Fl v2 The verbosity level. .It Fl w , Fl W @@ -103,10 +103,14 @@ Enable or disable Nagle's algorithm. Enable or disable IDENT lookups. .It Fl p , Fl P Enable or disable paranoid DNS cross-checking. -.It Fl h , Fl H -Enable or disable DNS lookups. +.It Fl H +Disable DNS lookups. +.It Fl h +Consult +.Pa /etc/hosts +before DNS. .It Fl l Ar localname -Get the local name from the command line, not from DNS. +Get the local name from the command line, don't look it up. .It Fl B Ar banner Initial server-side banner. .It Fl t Ar timeout @@ -115,13 +119,19 @@ Set a timeout for all the lookups. TCP access control. .El .Ss Options passed as-is to Xr s6-tlsd 1 -.Bl -tag -width x +.Bl -tag -width 2n .It Fl Z , Fl z Keep or remove the .Xr s6-tlsd-io 8 Ns -specific variables from the application's environment. .It Fl S , Fl s -Use close_notify or EOF to signal the end of a TLS connection. +Use +.Ql close_notify +or EOF to signal the end of a TLS connection. +.It Fl J , Fl j +Exit nonzero with an error message when the peer fails to +.Ql close_notify , +or ignore it. .It Fl Y , Fl y Request an optional or a mandatory client certificate. .It Fl K Ar kimeout @@ -130,7 +140,7 @@ Set a timeout for the TLS handshake. Support SNI-based certificate chains. .El .Ss Options passed to s6-applyuidgid -.Bl -tag -width x +.Bl -tag -width 2n .It Fl u Ar uid , Fl g Ar gid , Fl G Ar gidlist Set uid, gid, or supplementary group list. .It Fl U Po passed as Fl Uz Pc @@ -149,7 +159,7 @@ because they will be used by every .Xr s6-tlsd 8 invocation: -.Bl -tag -width x +.Bl -tag -width 2n .It Ev KEYFILE .It Ev CERTFILE .It Ev TLS_UID and Ev TLS_GI @@ -177,7 +187,7 @@ or removed from, its environment by .Xr s6-tcpserverd 8 and possibly by .Xr s6-tcpserver-access 8 : -.Bl -tag -width x +.Bl -tag -width 2n .It Ev PROTO .It Ev TCPREMOTEIP .It Ev TCPREMOTEPORT diff --git a/man8/s6-ucspitlsc.8 b/man8/s6-ucspitlsc.8 index 6aff9bc..e70ead6 100644 --- a/man8/s6-ucspitlsc.8 +++ b/man8/s6-ucspitlsc.8 @@ -1,4 +1,4 @@ -.Dd September 29, 2021 +.Dd November 20, 2023 .Dt S6-UCSPITLSC 8 .Os .Sh NAME @@ -7,6 +7,7 @@ .Sh SYNOPSIS .Nm .Op Fl S | Fl s +.Op Fl J | Fl j .Op Fl Y | Fl y .Op Fl Z | Fl z .Op Fl v Ar verbosity @@ -56,7 +57,7 @@ If it does not, you will not be able to secure your connection, and what you need is a regular immediate TLS program instead, which means .Xr s6-tlsc 8 . .Sh OPTIONS -.Bl -tag -width x +.Bl -tag -width 2n .It Fl v Ar verbosity Be more or less verbose. Default for @@ -88,6 +89,14 @@ sends EOF. Transmit EOF by half-closing the TCP connection without using .Ql close_notify . This is the default. +.It Fl J +Make +.Xr s6-tlsc-io 8 +exit with a nonzero code if the peer sends EOF without a +.Ql close_notify +first. +.It Fl j +Treat EOF from the peer as a normal exit condition. .It Fl Y Do not send a client certificate. This is the default. @@ -130,7 +139,7 @@ spawns a .Xr s6-tlsc-io 8 program that does. So it should pay attention to the following variables: -.Bl -bullet -width x +.Bl -bullet .It .Ev CADIR or @@ -171,7 +180,7 @@ However, .Ar prog... is run with the following additional environment variables, following the UCSPI-TLS protocol: -.Bl -tag -width x +.Bl -tag -width 2n .It Ev SSLCTLFD Contains the file descriptor number of the control socket. .It Ev SSLREADFD @@ -195,7 +204,7 @@ command (as opposed to a command), it will receive this information as a string sent over the control socket. .Sh EXIT STATUS -.Bl -tag -width x +.Bl -tag -width 2n .It 100 Wrong usage. .It 111 diff --git a/man8/s6-ucspitlsd.8 b/man8/s6-ucspitlsd.8 index 0d3bd82..bd10d78 100644 --- a/man8/s6-ucspitlsd.8 +++ b/man8/s6-ucspitlsd.8 @@ -1,4 +1,4 @@ -.Dd January 15, 2023 +.Dd November 20, 2023 .Dt S6-UCSPITLSD 8 .Os .Sh NAME @@ -9,6 +9,7 @@ then execs into an application .Sh SYNOPSIS .Nm .Op Fl S | Fl s +.Op Fl J | Fl j .Op Fl Y | Fl y .Op Fl Z | Fl z .Op Fl v Ar verbosity @@ -59,7 +60,7 @@ If it does not, you will not be able to secure your connection, and what you need is a regular immediate TLS program instead, which means .Xr s6-tlsd 8 . .Sh OPTIONS -.Bl -tag -width x +.Bl -tag -width 2n .It Fl v Ar verbosity Be more or less verbose. Default for @@ -91,6 +92,14 @@ sends EOF. Transmit EOF by half-closing the TCP connection without using .Ql close_notify . This is the default. +.It Fl J +Make +.Xr s6-tlsd-io 8 +exit with a nonzero code if the peer sends EOF without a +.Ql close_notify +first. +.It Fl j +Treat EOF from the peer as a normal exit condition. .It Fl Y Request an optional client certificate. .It Fl y @@ -147,7 +156,7 @@ spawns a .Xr s6-tlsd-io 8 program that does. So it should pay attention to the following variables: -.Bl -bullet -width x +.Bl -bullet .It .Ev CERTFILE and @@ -204,7 +213,7 @@ However, .Ar prog... is run with the following additional environment variables, following the UCSPI-TLS protocol: -.Bl -tag -width x +.Bl -tag -width 2n .It Ev SSLCTLFD Contains the file descriptor number of the control socket. .It Ev SSLREADFD @@ -228,7 +237,7 @@ command (as opposed to a command), it will receive this information as a string sent over the control socket. .Sh EXIT STATUS -.Bl -tag -width x +.Bl -tag -width 2n .It 100 Wrong usage. .It 111 -- 2.45.2