Implement --no-verify-cert for s6-tlsc and s6-tlsc-io

author: Laurent Bercot <ska-skaware@skarnet.org> 2026-04-13 03:32:51 +0000
committer: Laurent Bercot <ska-skaware@skarnet.org> 2026-04-13 03:32:51 +0000
commit: 030078b7bf67a4307623f1a5c58284561ff64a56 (patch)
tree: 908d840523cf84fad55753a1dc16cee31a1a0d65
parent: c2ffcd960ba55570fb701de2b9f4e2ad6e1d628d (diff)
download: s6-networking-030078b7bf67a4307623f1a5c58284561ff64a56.tar.gz
13 files changed, 268 insertions, 168 deletions
diff --git a/doc/s6-tlsc-io.html b/doc/s6-tlsc-io.html
index 45bd2b8..ac3b35f 100644
--- a/doc/s6-tlsc-io.html
+++ b/doc/s6-tlsc-io.html
@@ -216,6 +216,9 @@ Sending this data serves a dual purpose: telling the <em>notif</em>
 reader that the handshake has completed, and providing it with some
 basic information about the connection. If this option is not given,
 no such notification is performed. </li>
+ <li> <tt>--no-verify-cert</tt>&nbsp;: do not verify the certificate
+sent by the server. This is insecure and should only be used in very
+precise, controlled circumstances. </li>
 </ul>
 
 </body>
diff --git a/package/deps.mak b/package/deps.mak
index 76eb6a9..e0a1dca 100644
--- a/package/deps.mak
+++ b/package/deps.mak
@@ -78,6 +78,7 @@ src/sbearssl/sbearssl_x500_from_ta.o src/sbearssl/sbearssl_x500_from_ta.lo: src/
 src/sbearssl/sbearssl_x500_name_len.o src/sbearssl/sbearssl_x500_name_len.lo: src/sbearssl/sbearssl_x500_name_len.c src/include/s6-networking/sbearssl.h
 src/sbearssl/sbearssl_x509_minimal_set_tai.o src/sbearssl/sbearssl_x509_minimal_set_tai.lo: src/sbearssl/sbearssl_x509_minimal_set_tai.c src/include/s6-networking/sbearssl.h
 src/sbearssl/sbearssl_x509_small_init_full.o src/sbearssl/sbearssl_x509_small_init_full.lo: src/sbearssl/sbearssl_x509_small_init_full.c src/include/s6-networking/sbearssl.h
+src/sbearssl/sbearssl_x509_small_init_full_options.o src/sbearssl/sbearssl_x509_small_init_full_options.lo: src/sbearssl/sbearssl_x509_small_init_full_options.c src/include/s6-networking/sbearssl.h
 src/sbearssl/sbearssl_x509_small_vtable.o src/sbearssl/sbearssl_x509_small_vtable.lo: src/sbearssl/sbearssl_x509_small_vtable.c src/include/s6-networking/sbearssl.h
 src/sbearssl/sbearssl_x509_time_check.o src/sbearssl/sbearssl_x509_time_check.lo: src/sbearssl/sbearssl_x509_time_check.c src/include/s6-networking/sbearssl.h
 src/stls/stls_client_init_and_handshake.o src/stls/stls_client_init_and_handshake.lo: src/stls/stls_client_init_and_handshake.c src/include/s6-networking/stls.h src/stls/stls-internal.h
@@ -138,15 +139,15 @@ libs6net.so.xyzzy:src/libs6net/s6net_ident_client.lo src/libs6net/s6net_ident_re
 libs6net.dylib.xyzzy: EXTRA_LIBS := -lskarnet
 libs6net.dylib.xyzzy:src/libs6net/s6net_ident_client.lo src/libs6net/s6net_ident_reply_get.lo src/libs6net/s6net_ident_reply_parse.lo src/libs6net/s6net_ident_error.lo
 ifeq ($(strip $(STATIC_LIBS_ARE_PIC)),)
-libsbearssl.a.xyzzy: src/sbearssl/sbearssl_append.o src/sbearssl/sbearssl_cert_from.o src/sbearssl/sbearssl_cert_readbigpem.o src/sbearssl/sbearssl_cert_readfile.o src/sbearssl/sbearssl_cert_to.o src/sbearssl/sbearssl_choose_algos_ec.o src/sbearssl/sbearssl_choose_algos_rsa.o src/sbearssl/sbearssl_choose_hash.o src/sbearssl/sbearssl_client_init_and_run.o src/sbearssl/sbearssl_drop.o src/sbearssl/sbearssl_ec_issuer_keytype.o src/sbearssl/sbearssl_ec_pkey_from.o src/sbearssl/sbearssl_ec_pkey_to.o src/sbearssl/sbearssl_ec_skey_from.o src/sbearssl/sbearssl_ec_skey_to.o src/sbearssl/sbearssl_error_str.o src/sbearssl/sbearssl_get_keycert.o src/sbearssl/sbearssl_get_tas.o src/sbearssl/sbearssl_isder.o src/sbearssl/sbearssl_pem_decode_from_buffer.o src/sbearssl/sbearssl_pem_decode_from_string.o src/sbearssl/sbearssl_pem_push.o src/sbearssl/sbearssl_pkey_from.o src/sbearssl/sbearssl_pkey_to.o src/sbearssl/sbearssl_rsa_pkey_from.o src/sbearssl/sbearssl_rsa_pkey_to.o src/sbearssl/sbearssl_rsa_skey_from.o src/sbearssl/sbearssl_rsa_skey_to.o src/sbearssl/sbearssl_run.o src/sbearssl/sbearssl_sctx_init_full_generic.o src/sbearssl/sbearssl_sctx_set_policy_sni.o src/sbearssl/sbearssl_send_environment.o src/sbearssl/sbearssl_server_init_and_run.o src/sbearssl/sbearssl_skey_from.o src/sbearssl/sbearssl_skey_readfile.o src/sbearssl/sbearssl_skey_storagelen.o src/sbearssl/sbearssl_skey_to.o src/sbearssl/sbearssl_skey_wipe.o src/sbearssl/sbearssl_sni_policy_add_keypair_file.o src/sbearssl/sbearssl_sni_policy_init.o src/sbearssl/sbearssl_sni_policy_nkeypairs.o src/sbearssl/sbearssl_sni_policy_vtable.o src/sbearssl/sbearssl_suite_bits.o src/sbearssl/sbearssl_suite_list.o src/sbearssl/sbearssl_suite_name.o src/sbearssl/sbearssl_ta_cert.o src/sbearssl/sbearssl_ta_certs.o src/sbearssl/sbearssl_ta_from.o src/sbearssl/sbearssl_ta_readdir.o src/sbearssl/sbearssl_ta_readfile.o src/sbearssl/sbearssl_ta_to.o src/sbearssl/sbearssl_x500_from_ta.o src/sbearssl/sbearssl_x500_name_len.o src/sbearssl/sbearssl_x509_minimal_set_tai.o src/sbearssl/sbearssl_x509_small_init_full.o src/sbearssl/sbearssl_x509_small_vtable.o src/sbearssl/sbearssl_dayseconds_from_tai.o src/sbearssl/sbearssl_tai_from_dayseconds.o src/sbearssl/sbearssl_x509_time_check.o
+libsbearssl.a.xyzzy: src/sbearssl/sbearssl_append.o src/sbearssl/sbearssl_cert_from.o src/sbearssl/sbearssl_cert_readbigpem.o src/sbearssl/sbearssl_cert_readfile.o src/sbearssl/sbearssl_cert_to.o src/sbearssl/sbearssl_choose_algos_ec.o src/sbearssl/sbearssl_choose_algos_rsa.o src/sbearssl/sbearssl_choose_hash.o src/sbearssl/sbearssl_client_init_and_run.o src/sbearssl/sbearssl_drop.o src/sbearssl/sbearssl_ec_issuer_keytype.o src/sbearssl/sbearssl_ec_pkey_from.o src/sbearssl/sbearssl_ec_pkey_to.o src/sbearssl/sbearssl_ec_skey_from.o src/sbearssl/sbearssl_ec_skey_to.o src/sbearssl/sbearssl_error_str.o src/sbearssl/sbearssl_get_keycert.o src/sbearssl/sbearssl_get_tas.o src/sbearssl/sbearssl_isder.o src/sbearssl/sbearssl_pem_decode_from_buffer.o src/sbearssl/sbearssl_pem_decode_from_string.o src/sbearssl/sbearssl_pem_push.o src/sbearssl/sbearssl_pkey_from.o src/sbearssl/sbearssl_pkey_to.o src/sbearssl/sbearssl_rsa_pkey_from.o src/sbearssl/sbearssl_rsa_pkey_to.o src/sbearssl/sbearssl_rsa_skey_from.o src/sbearssl/sbearssl_rsa_skey_to.o src/sbearssl/sbearssl_run.o src/sbearssl/sbearssl_sctx_init_full_generic.o src/sbearssl/sbearssl_sctx_set_policy_sni.o src/sbearssl/sbearssl_send_environment.o src/sbearssl/sbearssl_server_init_and_run.o src/sbearssl/sbearssl_skey_from.o src/sbearssl/sbearssl_skey_readfile.o src/sbearssl/sbearssl_skey_storagelen.o src/sbearssl/sbearssl_skey_to.o src/sbearssl/sbearssl_skey_wipe.o src/sbearssl/sbearssl_sni_policy_add_keypair_file.o src/sbearssl/sbearssl_sni_policy_init.o src/sbearssl/sbearssl_sni_policy_nkeypairs.o src/sbearssl/sbearssl_sni_policy_vtable.o src/sbearssl/sbearssl_suite_bits.o src/sbearssl/sbearssl_suite_list.o src/sbearssl/sbearssl_suite_name.o src/sbearssl/sbearssl_ta_cert.o src/sbearssl/sbearssl_ta_certs.o src/sbearssl/sbearssl_ta_from.o src/sbearssl/sbearssl_ta_readdir.o src/sbearssl/sbearssl_ta_readfile.o src/sbearssl/sbearssl_ta_to.o src/sbearssl/sbearssl_x500_from_ta.o src/sbearssl/sbearssl_x500_name_len.o src/sbearssl/sbearssl_x509_minimal_set_tai.o src/sbearssl/sbearssl_x509_small_init_full.o src/sbearssl/sbearssl_x509_small_init_full_options.o src/sbearssl/sbearssl_x509_small_vtable.o src/sbearssl/sbearssl_dayseconds_from_tai.o src/sbearssl/sbearssl_tai_from_dayseconds.o src/sbearssl/sbearssl_x509_time_check.o
 else
-libsbearssl.a.xyzzy:src/sbearssl/sbearssl_append.lo src/sbearssl/sbearssl_cert_from.lo src/sbearssl/sbearssl_cert_readbigpem.lo src/sbearssl/sbearssl_cert_readfile.lo src/sbearssl/sbearssl_cert_to.lo src/sbearssl/sbearssl_choose_algos_ec.lo src/sbearssl/sbearssl_choose_algos_rsa.lo src/sbearssl/sbearssl_choose_hash.lo src/sbearssl/sbearssl_client_init_and_run.lo src/sbearssl/sbearssl_drop.lo src/sbearssl/sbearssl_ec_issuer_keytype.lo src/sbearssl/sbearssl_ec_pkey_from.lo src/sbearssl/sbearssl_ec_pkey_to.lo src/sbearssl/sbearssl_ec_skey_from.lo src/sbearssl/sbearssl_ec_skey_to.lo src/sbearssl/sbearssl_error_str.lo src/sbearssl/sbearssl_get_keycert.lo src/sbearssl/sbearssl_get_tas.lo src/sbearssl/sbearssl_isder.lo src/sbearssl/sbearssl_pem_decode_from_buffer.lo src/sbearssl/sbearssl_pem_decode_from_string.lo src/sbearssl/sbearssl_pem_push.lo src/sbearssl/sbearssl_pkey_from.lo src/sbearssl/sbearssl_pkey_to.lo src/sbearssl/sbearssl_rsa_pkey_from.lo src/sbearssl/sbearssl_rsa_pkey_to.lo src/sbearssl/sbearssl_rsa_skey_from.lo src/sbearssl/sbearssl_rsa_skey_to.lo src/sbearssl/sbearssl_run.lo src/sbearssl/sbearssl_sctx_init_full_generic.lo src/sbearssl/sbearssl_sctx_set_policy_sni.lo src/sbearssl/sbearssl_send_environment.lo src/sbearssl/sbearssl_server_init_and_run.lo src/sbearssl/sbearssl_skey_from.lo src/sbearssl/sbearssl_skey_readfile.lo src/sbearssl/sbearssl_skey_storagelen.lo src/sbearssl/sbearssl_skey_to.lo src/sbearssl/sbearssl_skey_wipe.lo src/sbearssl/sbearssl_sni_policy_add_keypair_file.lo src/sbearssl/sbearssl_sni_policy_init.lo src/sbearssl/sbearssl_sni_policy_nkeypairs.lo src/sbearssl/sbearssl_sni_policy_vtable.lo src/sbearssl/sbearssl_suite_bits.lo src/sbearssl/sbearssl_suite_list.lo src/sbearssl/sbearssl_suite_name.lo src/sbearssl/sbearssl_ta_cert.lo src/sbearssl/sbearssl_ta_certs.lo src/sbearssl/sbearssl_ta_from.lo src/sbearssl/sbearssl_ta_readdir.lo src/sbearssl/sbearssl_ta_readfile.lo src/sbearssl/sbearssl_ta_to.lo src/sbearssl/sbearssl_x500_from_ta.lo src/sbearssl/sbearssl_x500_name_len.lo src/sbearssl/sbearssl_x509_minimal_set_tai.lo src/sbearssl/sbearssl_x509_small_init_full.lo src/sbearssl/sbearssl_x509_small_vtable.lo src/sbearssl/sbearssl_dayseconds_from_tai.lo src/sbearssl/sbearssl_tai_from_dayseconds.lo src/sbearssl/sbearssl_x509_time_check.lo
+libsbearssl.a.xyzzy:src/sbearssl/sbearssl_append.lo src/sbearssl/sbearssl_cert_from.lo src/sbearssl/sbearssl_cert_readbigpem.lo src/sbearssl/sbearssl_cert_readfile.lo src/sbearssl/sbearssl_cert_to.lo src/sbearssl/sbearssl_choose_algos_ec.lo src/sbearssl/sbearssl_choose_algos_rsa.lo src/sbearssl/sbearssl_choose_hash.lo src/sbearssl/sbearssl_client_init_and_run.lo src/sbearssl/sbearssl_drop.lo src/sbearssl/sbearssl_ec_issuer_keytype.lo src/sbearssl/sbearssl_ec_pkey_from.lo src/sbearssl/sbearssl_ec_pkey_to.lo src/sbearssl/sbearssl_ec_skey_from.lo src/sbearssl/sbearssl_ec_skey_to.lo src/sbearssl/sbearssl_error_str.lo src/sbearssl/sbearssl_get_keycert.lo src/sbearssl/sbearssl_get_tas.lo src/sbearssl/sbearssl_isder.lo src/sbearssl/sbearssl_pem_decode_from_buffer.lo src/sbearssl/sbearssl_pem_decode_from_string.lo src/sbearssl/sbearssl_pem_push.lo src/sbearssl/sbearssl_pkey_from.lo src/sbearssl/sbearssl_pkey_to.lo src/sbearssl/sbearssl_rsa_pkey_from.lo src/sbearssl/sbearssl_rsa_pkey_to.lo src/sbearssl/sbearssl_rsa_skey_from.lo src/sbearssl/sbearssl_rsa_skey_to.lo src/sbearssl/sbearssl_run.lo src/sbearssl/sbearssl_sctx_init_full_generic.lo src/sbearssl/sbearssl_sctx_set_policy_sni.lo src/sbearssl/sbearssl_send_environment.lo src/sbearssl/sbearssl_server_init_and_run.lo src/sbearssl/sbearssl_skey_from.lo src/sbearssl/sbearssl_skey_readfile.lo src/sbearssl/sbearssl_skey_storagelen.lo src/sbearssl/sbearssl_skey_to.lo src/sbearssl/sbearssl_skey_wipe.lo src/sbearssl/sbearssl_sni_policy_add_keypair_file.lo src/sbearssl/sbearssl_sni_policy_init.lo src/sbearssl/sbearssl_sni_policy_nkeypairs.lo src/sbearssl/sbearssl_sni_policy_vtable.lo src/sbearssl/sbearssl_suite_bits.lo src/sbearssl/sbearssl_suite_list.lo src/sbearssl/sbearssl_suite_name.lo src/sbearssl/sbearssl_ta_cert.lo src/sbearssl/sbearssl_ta_certs.lo src/sbearssl/sbearssl_ta_from.lo src/sbearssl/sbearssl_ta_readdir.lo src/sbearssl/sbearssl_ta_readfile.lo src/sbearssl/sbearssl_ta_to.lo src/sbearssl/sbearssl_x500_from_ta.lo src/sbearssl/sbearssl_x500_name_len.lo src/sbearssl/sbearssl_x509_minimal_set_tai.lo src/sbearssl/sbearssl_x509_small_init_full.lo src/sbearssl/sbearssl_x509_small_init_full_options.lo src/sbearssl/sbearssl_x509_small_vtable.lo src/sbearssl/sbearssl_dayseconds_from_tai.lo src/sbearssl/sbearssl_tai_from_dayseconds.lo src/sbearssl/sbearssl_x509_time_check.lo
 endif
 libsbearssl.pc: EXTRA_LIBS := -lskarnet -lbearssl
 libsbearssl.so.xyzzy: EXTRA_LIBS := -lskarnet -lbearssl
-libsbearssl.so.xyzzy:src/sbearssl/sbearssl_append.lo src/sbearssl/sbearssl_cert_from.lo src/sbearssl/sbearssl_cert_readbigpem.lo src/sbearssl/sbearssl_cert_readfile.lo src/sbearssl/sbearssl_cert_to.lo src/sbearssl/sbearssl_choose_algos_ec.lo src/sbearssl/sbearssl_choose_algos_rsa.lo src/sbearssl/sbearssl_choose_hash.lo src/sbearssl/sbearssl_client_init_and_run.lo src/sbearssl/sbearssl_drop.lo src/sbearssl/sbearssl_ec_issuer_keytype.lo src/sbearssl/sbearssl_ec_pkey_from.lo src/sbearssl/sbearssl_ec_pkey_to.lo src/sbearssl/sbearssl_ec_skey_from.lo src/sbearssl/sbearssl_ec_skey_to.lo src/sbearssl/sbearssl_error_str.lo src/sbearssl/sbearssl_get_keycert.lo src/sbearssl/sbearssl_get_tas.lo src/sbearssl/sbearssl_isder.lo src/sbearssl/sbearssl_pem_decode_from_buffer.lo src/sbearssl/sbearssl_pem_decode_from_string.lo src/sbearssl/sbearssl_pem_push.lo src/sbearssl/sbearssl_pkey_from.lo src/sbearssl/sbearssl_pkey_to.lo src/sbearssl/sbearssl_rsa_pkey_from.lo src/sbearssl/sbearssl_rsa_pkey_to.lo src/sbearssl/sbearssl_rsa_skey_from.lo src/sbearssl/sbearssl_rsa_skey_to.lo src/sbearssl/sbearssl_run.lo src/sbearssl/sbearssl_sctx_init_full_generic.lo src/sbearssl/sbearssl_sctx_set_policy_sni.lo src/sbearssl/sbearssl_send_environment.lo src/sbearssl/sbearssl_server_init_and_run.lo src/sbearssl/sbearssl_skey_from.lo src/sbearssl/sbearssl_skey_readfile.lo src/sbearssl/sbearssl_skey_storagelen.lo src/sbearssl/sbearssl_skey_to.lo src/sbearssl/sbearssl_skey_wipe.lo src/sbearssl/sbearssl_sni_policy_add_keypair_file.lo src/sbearssl/sbearssl_sni_policy_init.lo src/sbearssl/sbearssl_sni_policy_nkeypairs.lo src/sbearssl/sbearssl_sni_policy_vtable.lo src/sbearssl/sbearssl_suite_bits.lo src/sbearssl/sbearssl_suite_list.lo src/sbearssl/sbearssl_suite_name.lo src/sbearssl/sbearssl_ta_cert.lo src/sbearssl/sbearssl_ta_certs.lo src/sbearssl/sbearssl_ta_from.lo src/sbearssl/sbearssl_ta_readdir.lo src/sbearssl/sbearssl_ta_readfile.lo src/sbearssl/sbearssl_ta_to.lo src/sbearssl/sbearssl_x500_from_ta.lo src/sbearssl/sbearssl_x500_name_len.lo src/sbearssl/sbearssl_x509_minimal_set_tai.lo src/sbearssl/sbearssl_x509_small_init_full.lo src/sbearssl/sbearssl_x509_small_vtable.lo src/sbearssl/sbearssl_dayseconds_from_tai.lo src/sbearssl/sbearssl_tai_from_dayseconds.lo src/sbearssl/sbearssl_x509_time_check.lo
+libsbearssl.so.xyzzy:src/sbearssl/sbearssl_append.lo src/sbearssl/sbearssl_cert_from.lo src/sbearssl/sbearssl_cert_readbigpem.lo src/sbearssl/sbearssl_cert_readfile.lo src/sbearssl/sbearssl_cert_to.lo src/sbearssl/sbearssl_choose_algos_ec.lo src/sbearssl/sbearssl_choose_algos_rsa.lo src/sbearssl/sbearssl_choose_hash.lo src/sbearssl/sbearssl_client_init_and_run.lo src/sbearssl/sbearssl_drop.lo src/sbearssl/sbearssl_ec_issuer_keytype.lo src/sbearssl/sbearssl_ec_pkey_from.lo src/sbearssl/sbearssl_ec_pkey_to.lo src/sbearssl/sbearssl_ec_skey_from.lo src/sbearssl/sbearssl_ec_skey_to.lo src/sbearssl/sbearssl_error_str.lo src/sbearssl/sbearssl_get_keycert.lo src/sbearssl/sbearssl_get_tas.lo src/sbearssl/sbearssl_isder.lo src/sbearssl/sbearssl_pem_decode_from_buffer.lo src/sbearssl/sbearssl_pem_decode_from_string.lo src/sbearssl/sbearssl_pem_push.lo src/sbearssl/sbearssl_pkey_from.lo src/sbearssl/sbearssl_pkey_to.lo src/sbearssl/sbearssl_rsa_pkey_from.lo src/sbearssl/sbearssl_rsa_pkey_to.lo src/sbearssl/sbearssl_rsa_skey_from.lo src/sbearssl/sbearssl_rsa_skey_to.lo src/sbearssl/sbearssl_run.lo src/sbearssl/sbearssl_sctx_init_full_generic.lo src/sbearssl/sbearssl_sctx_set_policy_sni.lo src/sbearssl/sbearssl_send_environment.lo src/sbearssl/sbearssl_server_init_and_run.lo src/sbearssl/sbearssl_skey_from.lo src/sbearssl/sbearssl_skey_readfile.lo src/sbearssl/sbearssl_skey_storagelen.lo src/sbearssl/sbearssl_skey_to.lo src/sbearssl/sbearssl_skey_wipe.lo src/sbearssl/sbearssl_sni_policy_add_keypair_file.lo src/sbearssl/sbearssl_sni_policy_init.lo src/sbearssl/sbearssl_sni_policy_nkeypairs.lo src/sbearssl/sbearssl_sni_policy_vtable.lo src/sbearssl/sbearssl_suite_bits.lo src/sbearssl/sbearssl_suite_list.lo src/sbearssl/sbearssl_suite_name.lo src/sbearssl/sbearssl_ta_cert.lo src/sbearssl/sbearssl_ta_certs.lo src/sbearssl/sbearssl_ta_from.lo src/sbearssl/sbearssl_ta_readdir.lo src/sbearssl/sbearssl_ta_readfile.lo src/sbearssl/sbearssl_ta_to.lo src/sbearssl/sbearssl_x500_from_ta.lo src/sbearssl/sbearssl_x500_name_len.lo src/sbearssl/sbearssl_x509_minimal_set_tai.lo src/sbearssl/sbearssl_x509_small_init_full.lo src/sbearssl/sbearssl_x509_small_init_full_options.lo src/sbearssl/sbearssl_x509_small_vtable.lo src/sbearssl/sbearssl_dayseconds_from_tai.lo src/sbearssl/sbearssl_tai_from_dayseconds.lo src/sbearssl/sbearssl_x509_time_check.lo
 libsbearssl.dylib.xyzzy: EXTRA_LIBS := -lskarnet -lbearssl
-libsbearssl.dylib.xyzzy:src/sbearssl/sbearssl_append.lo src/sbearssl/sbearssl_cert_from.lo src/sbearssl/sbearssl_cert_readbigpem.lo src/sbearssl/sbearssl_cert_readfile.lo src/sbearssl/sbearssl_cert_to.lo src/sbearssl/sbearssl_choose_algos_ec.lo src/sbearssl/sbearssl_choose_algos_rsa.lo src/sbearssl/sbearssl_choose_hash.lo src/sbearssl/sbearssl_client_init_and_run.lo src/sbearssl/sbearssl_drop.lo src/sbearssl/sbearssl_ec_issuer_keytype.lo src/sbearssl/sbearssl_ec_pkey_from.lo src/sbearssl/sbearssl_ec_pkey_to.lo src/sbearssl/sbearssl_ec_skey_from.lo src/sbearssl/sbearssl_ec_skey_to.lo src/sbearssl/sbearssl_error_str.lo src/sbearssl/sbearssl_get_keycert.lo src/sbearssl/sbearssl_get_tas.lo src/sbearssl/sbearssl_isder.lo src/sbearssl/sbearssl_pem_decode_from_buffer.lo src/sbearssl/sbearssl_pem_decode_from_string.lo src/sbearssl/sbearssl_pem_push.lo src/sbearssl/sbearssl_pkey_from.lo src/sbearssl/sbearssl_pkey_to.lo src/sbearssl/sbearssl_rsa_pkey_from.lo src/sbearssl/sbearssl_rsa_pkey_to.lo src/sbearssl/sbearssl_rsa_skey_from.lo src/sbearssl/sbearssl_rsa_skey_to.lo src/sbearssl/sbearssl_run.lo src/sbearssl/sbearssl_sctx_init_full_generic.lo src/sbearssl/sbearssl_sctx_set_policy_sni.lo src/sbearssl/sbearssl_send_environment.lo src/sbearssl/sbearssl_server_init_and_run.lo src/sbearssl/sbearssl_skey_from.lo src/sbearssl/sbearssl_skey_readfile.lo src/sbearssl/sbearssl_skey_storagelen.lo src/sbearssl/sbearssl_skey_to.lo src/sbearssl/sbearssl_skey_wipe.lo src/sbearssl/sbearssl_sni_policy_add_keypair_file.lo src/sbearssl/sbearssl_sni_policy_init.lo src/sbearssl/sbearssl_sni_policy_nkeypairs.lo src/sbearssl/sbearssl_sni_policy_vtable.lo src/sbearssl/sbearssl_suite_bits.lo src/sbearssl/sbearssl_suite_list.lo src/sbearssl/sbearssl_suite_name.lo src/sbearssl/sbearssl_ta_cert.lo src/sbearssl/sbearssl_ta_certs.lo src/sbearssl/sbearssl_ta_from.lo src/sbearssl/sbearssl_ta_readdir.lo src/sbearssl/sbearssl_ta_readfile.lo src/sbearssl/sbearssl_ta_to.lo src/sbearssl/sbearssl_x500_from_ta.lo src/sbearssl/sbearssl_x500_name_len.lo src/sbearssl/sbearssl_x509_minimal_set_tai.lo src/sbearssl/sbearssl_x509_small_init_full.lo src/sbearssl/sbearssl_x509_small_vtable.lo src/sbearssl/sbearssl_dayseconds_from_tai.lo src/sbearssl/sbearssl_tai_from_dayseconds.lo src/sbearssl/sbearssl_x509_time_check.lo
+libsbearssl.dylib.xyzzy:src/sbearssl/sbearssl_append.lo src/sbearssl/sbearssl_cert_from.lo src/sbearssl/sbearssl_cert_readbigpem.lo src/sbearssl/sbearssl_cert_readfile.lo src/sbearssl/sbearssl_cert_to.lo src/sbearssl/sbearssl_choose_algos_ec.lo src/sbearssl/sbearssl_choose_algos_rsa.lo src/sbearssl/sbearssl_choose_hash.lo src/sbearssl/sbearssl_client_init_and_run.lo src/sbearssl/sbearssl_drop.lo src/sbearssl/sbearssl_ec_issuer_keytype.lo src/sbearssl/sbearssl_ec_pkey_from.lo src/sbearssl/sbearssl_ec_pkey_to.lo src/sbearssl/sbearssl_ec_skey_from.lo src/sbearssl/sbearssl_ec_skey_to.lo src/sbearssl/sbearssl_error_str.lo src/sbearssl/sbearssl_get_keycert.lo src/sbearssl/sbearssl_get_tas.lo src/sbearssl/sbearssl_isder.lo src/sbearssl/sbearssl_pem_decode_from_buffer.lo src/sbearssl/sbearssl_pem_decode_from_string.lo src/sbearssl/sbearssl_pem_push.lo src/sbearssl/sbearssl_pkey_from.lo src/sbearssl/sbearssl_pkey_to.lo src/sbearssl/sbearssl_rsa_pkey_from.lo src/sbearssl/sbearssl_rsa_pkey_to.lo src/sbearssl/sbearssl_rsa_skey_from.lo src/sbearssl/sbearssl_rsa_skey_to.lo src/sbearssl/sbearssl_run.lo src/sbearssl/sbearssl_sctx_init_full_generic.lo src/sbearssl/sbearssl_sctx_set_policy_sni.lo src/sbearssl/sbearssl_send_environment.lo src/sbearssl/sbearssl_server_init_and_run.lo src/sbearssl/sbearssl_skey_from.lo src/sbearssl/sbearssl_skey_readfile.lo src/sbearssl/sbearssl_skey_storagelen.lo src/sbearssl/sbearssl_skey_to.lo src/sbearssl/sbearssl_skey_wipe.lo src/sbearssl/sbearssl_sni_policy_add_keypair_file.lo src/sbearssl/sbearssl_sni_policy_init.lo src/sbearssl/sbearssl_sni_policy_nkeypairs.lo src/sbearssl/sbearssl_sni_policy_vtable.lo src/sbearssl/sbearssl_suite_bits.lo src/sbearssl/sbearssl_suite_list.lo src/sbearssl/sbearssl_suite_name.lo src/sbearssl/sbearssl_ta_cert.lo src/sbearssl/sbearssl_ta_certs.lo src/sbearssl/sbearssl_ta_from.lo src/sbearssl/sbearssl_ta_readdir.lo src/sbearssl/sbearssl_ta_readfile.lo src/sbearssl/sbearssl_ta_to.lo src/sbearssl/sbearssl_x500_from_ta.lo src/sbearssl/sbearssl_x500_name_len.lo src/sbearssl/sbearssl_x509_minimal_set_tai.lo src/sbearssl/sbearssl_x509_small_init_full.lo src/sbearssl/sbearssl_x509_small_init_full_options.lo src/sbearssl/sbearssl_x509_small_vtable.lo src/sbearssl/sbearssl_dayseconds_from_tai.lo src/sbearssl/sbearssl_tai_from_dayseconds.lo src/sbearssl/sbearssl_x509_time_check.lo
 ifeq ($(strip $(STATIC_LIBS_ARE_PIC)),)
 libstls.a.xyzzy: src/stls/stls_drop.o src/stls/stls_handshake.o src/stls/stls_run.o src/stls/stls_client_init_and_handshake.o src/stls/stls_server_init_and_handshake.o src/stls/stls_send_environment.o
 else
diff --git a/src/include/s6-networking/sbearssl.h b/src/include/s6-networking/sbearssl.h
index 6d68e1d..06815a8 100644
--- a/src/include/s6-networking/sbearssl.h
+++ b/src/include/s6-networking/sbearssl.h
@@ -59,6 +59,7 @@ struct sbearssl_x509_small_context_s
   br_name_element elts[6] ;
   uint8_t *eltstatus ;
   char *eehash ;
+  uint32_t flags ;
 } ;
 
 extern int sbearssl_x509_minimal_set_tai (br_x509_minimal_context *, tai const *) ;
@@ -74,6 +75,7 @@ extern int sbearssl_x509_time_check (void *, uint32_t, uint32_t, uint32_t, uint3
 
 extern br_x509_class const sbearssl_x509_small_vtable ;
 extern void sbearssl_x509_small_init_full (sbearssl_x509_small_context *, br_x509_trust_anchor *, size_t, sbearssl_dn *, uint8_t *, char *) ;
+extern void sbearssl_x509_small_init_full_options (sbearssl_x509_small_context *, br_x509_trust_anchor *, size_t, sbearssl_dn *, uint8_t *, char *, uint32_t) ;
 
 
  /* Cipher suites */
diff --git a/src/sbearssl/deps-lib/sbearssl b/src/sbearssl/deps-lib/sbearssl
index ca68ead..cab0e36 100644
--- a/src/sbearssl/deps-lib/sbearssl
+++ b/src/sbearssl/deps-lib/sbearssl
@@ -53,6 +53,7 @@ sbearssl_x500_from_ta.o
 sbearssl_x500_name_len.o
 sbearssl_x509_minimal_set_tai.o
 sbearssl_x509_small_init_full.o
+sbearssl_x509_small_init_full_options.o
 sbearssl_x509_small_vtable.o
 sbearssl_dayseconds_from_tai.o
 sbearssl_tai_from_dayseconds.o
diff --git a/src/sbearssl/sbearssl_client_init_and_run.c b/src/sbearssl/sbearssl_client_init_and_run.c
index 82c3ff3..5dc764f 100644
--- a/src/sbearssl/sbearssl_client_init_and_run.c
+++ b/src/sbearssl/sbearssl_client_init_and_run.c
@@ -45,7 +45,7 @@ void sbearssl_client_init_and_run (int *fds, tain const *tto, uint32_t preoption
       br_x509_minimal_context dummy ; /* wasteful but the only simple API we have */
       br_ssl_client_init_full(&cc, &dummy, btas, n) ;
     }
-    sbearssl_x509_small_init_full(&xc, btas, n, &cbarg->eedn, &cbarg->eltstatus, cbarg->eehash) ;
+    sbearssl_x509_small_init_full_options(&xc, btas, n, &cbarg->eedn, &cbarg->eltstatus, cbarg->eehash, !!(preoptions & 2)) ;
     if (!sbearssl_x509_small_set_tain_g(&xc))
       strerr_diefu1sys(111, "initialize validation time") ;
     br_ssl_engine_set_x509(&cc.eng, &xc.vtable) ;
diff --git a/src/sbearssl/sbearssl_x509_small_init_full.c b/src/sbearssl/sbearssl_x509_small_init_full.c
index aece45c..1ed879f 100644
--- a/src/sbearssl/sbearssl_x509_small_init_full.c
+++ b/src/sbearssl/sbearssl_x509_small_init_full.c
@@ -1,45 +1,8 @@
 /* ISC license. */
 
-#include <stddef.h>
-#include <stdint.h>
-
-#include <bearssl.h>
-
-#include <skalibs/tai.h>
-
 #include <s6-networking/sbearssl.h>
 
-struct eltinfo_s
-{
-  size_t offset ;
-  size_t size ;
-  unsigned char oid[4] ;
-} ;
-
-static struct eltinfo_s const eltinfo[6] =
-{
-  { .offset = offsetof(sbearssl_dn, c),  .size = sizeof(((sbearssl_dn *)0)->c),  .oid = "\x03\x55\x04\x06" },
-  { .offset = offsetof(sbearssl_dn, st), .size = sizeof(((sbearssl_dn *)0)->st), .oid = "\x03\x55\x04\x08" },
-  { .offset = offsetof(sbearssl_dn, l),  .size = sizeof(((sbearssl_dn *)0)->l),  .oid = "\x03\x55\x04\x07" },
-  { .offset = offsetof(sbearssl_dn, o),  .size = sizeof(((sbearssl_dn *)0)->o),  .oid = "\x03\x55\x04\x0a" },
-  { .offset = offsetof(sbearssl_dn, ou), .size = sizeof(((sbearssl_dn *)0)->ou), .oid = "\x03\x55\x04\x0b" },
-  { .offset = offsetof(sbearssl_dn, cn), .size = sizeof(((sbearssl_dn *)0)->cn), .oid = "\x03\x55\x04\x03" }
-} ;
-
 void sbearssl_x509_small_init_full (sbearssl_x509_small_context *ctx, br_x509_trust_anchor *btas, size_t n, sbearssl_dn *eedn, uint8_t *eltstatus, char *eehash)
 {
-  ctx->vtable = &sbearssl_x509_small_vtable ;
-  br_x509_minimal_init_full(&ctx->minimal, btas, n) ;
-#ifdef BR_FEATURE_X509_TIME_CALLBACK
-  br_x509_minimal_set_time_callback(&ctx->minimal, tain_secp(&STAMP), &sbearssl_x509_time_check) ;
-#endif
-  for (unsigned int i = 0 ; i < 6 ; i++)
-  {
-    ctx->elts[i].oid = eltinfo[i].oid ;
-    ctx->elts[i].buf = (char *)eedn + eltinfo[i].offset ;
-    ctx->elts[i].len = eltinfo[i].size ;
-  }
-  br_x509_minimal_set_name_elements(&ctx->minimal, ctx->elts, 6) ;
-  ctx->eltstatus = eltstatus ;
-  ctx->eehash = eehash ;
+  return sbearssl_x509_small_init_full_options(ctx, btas, n, eedn, eltstatus, eehash, 0) ;
 }
diff --git a/src/sbearssl/sbearssl_x509_small_init_full_options.c b/src/sbearssl/sbearssl_x509_small_init_full_options.c
new file mode 100644
index 0000000..ca8069b
--- /dev/null
+++ b/src/sbearssl/sbearssl_x509_small_init_full_options.c
@@ -0,0 +1,46 @@
+/* ISC license. */
+
+#include <stddef.h>
+#include <stdint.h>
+
+#include <bearssl.h>
+
+#include <skalibs/tai.h>
+
+#include <s6-networking/sbearssl.h>
+
+struct eltinfo_s
+{
+  size_t offset ;
+  size_t size ;
+  unsigned char oid[4] ;
+} ;
+
+static struct eltinfo_s const eltinfo[6] =
+{
+  { .offset = offsetof(sbearssl_dn, c),  .size = sizeof(((sbearssl_dn *)0)->c),  .oid = "\x03\x55\x04\x06" },
+  { .offset = offsetof(sbearssl_dn, st), .size = sizeof(((sbearssl_dn *)0)->st), .oid = "\x03\x55\x04\x08" },
+  { .offset = offsetof(sbearssl_dn, l),  .size = sizeof(((sbearssl_dn *)0)->l),  .oid = "\x03\x55\x04\x07" },
+  { .offset = offsetof(sbearssl_dn, o),  .size = sizeof(((sbearssl_dn *)0)->o),  .oid = "\x03\x55\x04\x0a" },
+  { .offset = offsetof(sbearssl_dn, ou), .size = sizeof(((sbearssl_dn *)0)->ou), .oid = "\x03\x55\x04\x0b" },
+  { .offset = offsetof(sbearssl_dn, cn), .size = sizeof(((sbearssl_dn *)0)->cn), .oid = "\x03\x55\x04\x03" }
+} ;
+
+void sbearssl_x509_small_init_full_options (sbearssl_x509_small_context *ctx, br_x509_trust_anchor *btas, size_t n, sbearssl_dn *eedn, uint8_t *eltstatus, char *eehash, uint32_t flags)
+{
+  ctx->vtable = &sbearssl_x509_small_vtable ;
+  br_x509_minimal_init_full(&ctx->minimal, btas, n) ;
+#ifdef BR_FEATURE_X509_TIME_CALLBACK
+  br_x509_minimal_set_time_callback(&ctx->minimal, tain_secp(&STAMP), &sbearssl_x509_time_check) ;
+#endif
+  for (unsigned int i = 0 ; i < 6 ; i++)
+  {
+    ctx->elts[i].oid = eltinfo[i].oid ;
+    ctx->elts[i].buf = (char *)eedn + eltinfo[i].offset ;
+    ctx->elts[i].len = eltinfo[i].size ;
+  }
+  br_x509_minimal_set_name_elements(&ctx->minimal, ctx->elts, 6) ;
+  ctx->eltstatus = eltstatus ;
+  ctx->eehash = eehash ;
+  ctx->flags = flags ;
+}
diff --git a/src/sbearssl/sbearssl_x509_small_vtable.c b/src/sbearssl/sbearssl_x509_small_vtable.c
index 3b39055..951290a 100644
--- a/src/sbearssl/sbearssl_x509_small_vtable.c
+++ b/src/sbearssl/sbearssl_x509_small_vtable.c
@@ -43,6 +43,7 @@ static unsigned int end_chain (br_x509_class const **c)
 {
   sbearssl_x509_small_context *ctx = INSTANCE(c) ;
   unsigned int r = ctx->minimal.vtable->end_chain(&ctx->minimal.vtable) ;
+  if (ctx->flags & 1 && r == BR_ERR_X509_NOT_TRUSTED) r = 0 ;
   if (!r)
   {
     uint8_t mask = 1 ;
diff --git a/src/stls/stls_client_init_and_handshake.c b/src/stls/stls_client_init_and_handshake.c
index 6f0e248..d68d3a9 100644
--- a/src/stls/stls_client_init_and_handshake.c
+++ b/src/stls/stls_client_init_and_handshake.c
@@ -64,7 +64,9 @@ struct tls *stls_client_init_and_handshake (int const *fds, tain const *tto, uin
   if (tls_config_set_ecdhecurve(cfg, "auto") < 0)
     diecfg(cfg, "tls_config_set_ecdhecurve") ;
 
-  tls_config_verify(cfg) ;
+  if (preoptions & 2) tls_config_insecure_noverifycert(cfg) ;
+  else tls_config_verify(cfg) ;
+
   tls_config_set_protocols(cfg, TLS_PROTOCOLS_ALL) ;
   tls_config_prefer_ciphers_server(cfg) ;
   if (!servername) tls_config_insecure_noverifyname(cfg) ;
diff --git a/src/tls/s6-tlsc-io.c b/src/tls/s6-tlsc-io.c
index 25347b7..9098fdc 100644
--- a/src/tls/s6-tlsc-io.c
+++ b/src/tls/s6-tlsc-io.c
@@ -3,10 +3,10 @@
 #include <stdint.h>
 #include <signal.h>
 
+#include <skalibs/uint64.h>
 #include <skalibs/gccattributes.h>
 #include <skalibs/types.h>
-#include <skalibs/sgetopt.h>
-#include <skalibs/strerr.h>
+#include <skalibs/envexec.h>
 #include <skalibs/tai.h>
 #include <skalibs/sig.h>
 #include <skalibs/djbunix.h>
@@ -16,6 +16,23 @@
 #define USAGE "s6-tlsc-io [ -v verbosity ] [ -d notif ] [ -S | -s ] [ -J | -j ] [ -Y | -y ] [ -K timeout ] [ -k servername ] fdr fdw"
 #define dieusage() strerr_dieusage(100, USAGE)
 
+enum golb_e
+{
+  GOLB_CLOSENOTIFY = 0x01,
+  GOLB_STRICTCN = 0x02,
+  GOLB_CLIENTCERT = 0x10,
+  GOLB_NOVERIFY = 0x20,
+} ;
+
+enum gola_e
+{
+  GOLA_VERBOSITY,
+  GOLA_KIMEOUT,
+  GOLA_SERVERNAME,
+  GOLA_NOTIF,
+  GOLA_N
+} ;
+
 static inline void doit (int *, tain const *tto, uint32_t, uint32_t, unsigned int, char const *, unsigned int) gccattr_noreturn ;
 
 #ifdef S6_NETWORKING_USE_TLS
@@ -67,41 +84,51 @@ static inline void doit (int *fds, tain const *tto, uint32_t preoptions, uint32_
 
 int main (int argc, char const *const *argv, char const *const *envp)
 {
-  char const *servername = 0 ;
-  tain tto ;
+  static gol_bool const rgolb[] =
+  {
+    { .so = 's', .lo = "no-close-notify", .clear = GOLB_CLOSENOTIFY, .set = 0 },
+    { .so = 'S', .lo = "close-notify", .clear = 0, .set = GOLB_CLOSENOTIFY },
+    { .so = 'j', .lo = "no-enforce-close-notify", .clear = GOLB_STRICTCN, .set = 0 },
+    { .so = 'J', .lo = "enforce-close-notify", .clear = 0, .set = GOLB_STRICTCN },
+    { .so = 'Y', .lo = "no-client-cert", .clear = GOLB_CLIENTCERT, .set = 0 },
+    { .so = 'y', .lo = "client-cert", .clear = 0, .set = GOLB_CLIENTCERT },
+    { .so = 0, .lo = "verify-cert", .clear = GOLB_NOVERIFY, .set = 0 },
+    { .so = 0, .lo = "no-verify-cert", .clear = 0, .set = GOLB_NOVERIFY },
+  } ;
+  static gol_arg const rgola[] =
+  {
+    { .so = 'v', .lo = "verbosity", .i = GOLA_VERBOSITY },
+    { .so = 'K', .lo = "kimeout", .i = GOLA_KIMEOUT },
+    { .so = 'k', .lo = "servername", .i = GOLA_SERVERNAME },
+    { .so = 'd', .lo = "notification-fd", .i = GOLA_NOTIF },
+  } ;
   int fds[4] = { 0, 1 } ;
+  tain tto = TAIN_INFINITE_RELATIVE ;
   unsigned int verbosity = 1 ;
   unsigned int notif = 0 ;
-  uint32_t preoptions = 0 ;
-  uint32_t options = 0 ;
-
+  uint64_t wgolb = 0 ;
+  char const *wgola[GOLA_N] = { 0 } ;
+  unsigned int golc ;
   PROG = "s6-tlsc-io" ;
+
+  golc = GOL_main(argc, argv, rgolb, rgola, &wgolb, wgola) ;
+  argc -= golc ; argv += golc ;
+  if (argc < 2) dieusage() ;
+
+  if (wgola[GOLA_VERBOSITY])
+    if (!uint0_scan(wgola[GOLA_VERBOSITY], &verbosity))
+      strerr_dief2x(100, "verbosity", " must be an unsigned integer") ;
+  if (wgola[GOLA_KIMEOUT])
   {
-    subgetopt l = SUBGETOPT_ZERO ;
-    unsigned int t = 0 ;
-    for (;;)
-    {
-      int opt = subgetopt_r(argc, argv, "d:SsJjYyv:K:k:", &l) ;
-      if (opt == -1) break ;
-      switch (opt)
-      {
-        case 'v' : if (!uint0_scan(l.arg, &verbosity)) dieusage() ; break ;
-        case 'd' : if (!uint0_scan(l.arg, &notif)) dieusage() ; break ;
-        case 'S' : options |= 1 ; break ;
-        case 's' : options &= ~1 ; break ;
-        case 'J' : options |= 2 ; break ;
-        case 'j' : options &= ~2 ; break ;
-        case 'y' : preoptions |= 1 ; break ;
-        case 'Y' : preoptions &= ~1 ; break ;
-        case 'K' : if (!uint0_scan(l.arg, &t)) dieusage() ; break ;
-        case 'k' : servername = l.arg ; break ;
-        default : dieusage() ;
-      }
-    }
-    argc -= l.ind ; argv += l.ind ;
-    if (t) tain_from_millisecs(&tto, t) ; else tto = tain_infinite_relative ;
+    unsigned int kimeout ;
+    if (!uint0_scan(wgola[GOLA_KIMEOUT], &kimeout))
+      strerr_dief2x(100, "kimeout", " must be an unsigned integer") ;
+    if (kimeout) tain_from_millisecs(&tto, kimeout) ;
   }
-  if (argc < 2) dieusage() ;
+  if (wgola[GOLA_NOTIF])
+    if (!uint0_scan(wgola[GOLA_NOTIF], &notif))
+      strerr_dief2x(100, "notification-fd", " must be an unsigned integer") ;
+
   {
     unsigned int u ;
     if (!uint0_scan(argv[0], &u)) dieusage() ;
@@ -112,5 +139,5 @@ int main (int argc, char const *const *argv, char const *const *envp)
 
   if (!sig_ignore(SIGPIPE)) strerr_diefu1sys(111, "ignore SIGPIPE") ;
   tain_now_set_stopwatch_g() ;
-  doit(fds, &tto, preoptions, options, verbosity, servername, notif) ;
+  doit(fds, &tto, wgolb >> 4, wgolb & 0xf, verbosity, wgola[GOLA_SERVERNAME], notif) ;
 }
diff --git a/src/tls/s6-tlsc.c b/src/tls/s6-tlsc.c
index ebea264..2308a52 100644
--- a/src/tls/s6-tlsc.c
+++ b/src/tls/s6-tlsc.c
@@ -5,8 +5,7 @@
 #include <fcntl.h>
 
 #include <skalibs/types.h>
-#include <skalibs/sgetopt.h>
-#include <skalibs/strerr.h>
+#include <skalibs/envexec.h>
 #include <skalibs/djbunix.h>
 
 #include "s6tls-internal.h"
@@ -14,64 +13,92 @@
 #define USAGE "s6-tlsc [ -S | -s ] [ -J | -j ] [ -Y | -y ] [ -v verbosity ] [ -K timeout ] [ -k servername ] [ -Z | -z ] [ -6 fdr ] [ -7 fdw ] prog..."
 #define dieusage() strerr_dieusage(100, USAGE)
 
+enum golb_e
+{
+  GOLB_CLOSENOTIFY = 0x01,
+  GOLB_STRICTCN = 0x02,
+  GOLB_CLIENTCERT = 0x04,
+  GOLB_NOVERIFY = 0x08,
+  GOLB_KEEP = 0x10,
+} ;
+
+enum gola_e
+{
+  GOLA_VERBOSITY,
+  GOLA_KIMEOUT,
+  GOLA_SERVERNAME,
+  GOLA_RFD,
+  GOLA_WFD,
+  GOLA_N
+} ;
+
 int main (int argc, char const *const *argv)
 {
+  static gol_bool const rgolb[] =
+  {
+    { .so = 's', .lo = "no-close-notify", .clear = GOLB_CLOSENOTIFY, .set = 0 },
+    { .so = 'S', .lo = "close-notify", .clear = 0, .set = GOLB_CLOSENOTIFY },
+    { .so = 'j', .lo = "no-enforce-close-notify", .clear = GOLB_STRICTCN, .set = 0 },
+    { .so = 'J', .lo = "enforce-close-notify", .clear = 0, .set = GOLB_STRICTCN },
+    { .so = 'Y', .lo = "no-client-cert", .clear = GOLB_CLIENTCERT, .set = 0 },
+    { .so = 'y', .lo = "client-cert", .clear = 0, .set = GOLB_CLIENTCERT },
+    { .so = 'z', .lo = "no-keep", .clear = GOLB_KEEP, .set = 0 },
+    { .so = 'Z', .lo = "keep", .clear = 0, .set = GOLB_KEEP },
+    { .so = 0, .lo = "verify-cert", .clear = GOLB_NOVERIFY, .set = 0 },
+    { .so = 0, .lo = "no-verify-cert", .clear = 0, .set = GOLB_NOVERIFY },
+  } ;
+  static gol_arg const rgola[] =
+  {
+    { .so = 'v', .lo = "verbosity", .i = GOLA_VERBOSITY },
+    { .so = 'K', .lo = "kimeout", .i = GOLA_KIMEOUT },
+    { .so = 'k', .lo = "servername", .i = GOLA_SERVERNAME },
+    { .so = '6', .lo = "read-fd", .i = GOLA_RFD },
+    { .so = '7', .lo = "write-fd", .i = GOLA_WFD },
+  } ;
   unsigned int verbosity = 1 ;
   unsigned int kimeout = 0 ;
   int p[8] = { [6] = 6, [7] = 7 } ;
-  uint32_t coptions = 0 ;
-  uint32_t poptions = 1 ;
   pid_t pid ;
-  char const *servername = 0 ;
+  uint64_t wgolb = 0 ;
+  char const *wgola[GOLA_N] = { 0 } ;
+  unsigned int golc ;
   char const *newargv[S6TLS_PREP_IO_ARGC] ;
   char buf[S6TLS_PREP_IO_BUFLEN] ;
+
   PROG = "s6-tlsc" ;
+  golc = GOL_main(argc, argv, rgolb, rgola, &wgolb, wgola) ;
+  argc -= golc ; argv += golc ;
+  if (!argc) dieusage() ;
+
+  if (wgola[GOLA_VERBOSITY])
+    if (!uint0_scan(wgola[GOLA_VERBOSITY], &verbosity))
+      strerr_dief2x(100, "verbosity", " must be an unsigned integer") ;
+  if (wgola[GOLA_KIMEOUT])
+    if (!uint0_scan(wgola[GOLA_KIMEOUT], &kimeout))
+      strerr_dief2x(100, "kimeout", " must be an unsigned integer") ;
+  if (wgola[GOLA_RFD])
   {
-    subgetopt l = SUBGETOPT_ZERO ;
-    for (;;)
-    {
-      int opt = subgetopt_r(argc, argv, "SsJjyYv:K:k:Zz6:7:", &l) ;
-      if (opt == -1) break ;
-      switch (opt)
-      {
-        case 'S' : coptions |= 4 ; break ;
-        case 's' : coptions &= ~4 ; break ;
-        case 'J' : coptions |= 2 ; break ;
-        case 'j' : coptions &= ~2 ; break ;
-        case 'y' : coptions |= 1 ; break ;
-        case 'Y' : coptions &= ~1 ; break ;
-        case 'v' : if (!uint0_scan(l.arg, &verbosity)) dieusage() ; break ;
-        case 'K' : if (!uint0_scan(l.arg, &kimeout)) dieusage() ; break ;
-        case 'k' : servername = l.arg ; break ;
-        case 'Z' : poptions &= ~1 ; break ;
-        case 'z' : poptions |= 1 ; break ;
-        case '6' :
-        {
-          unsigned int fd ;
-          if (!uint0_scan(l.arg, &fd) || fd < 3) dieusage() ;
-          p[6] = fd ;
-          break ;
-        }
-        case '7' :
-        {
-          unsigned int fd ;
-          if (!uint0_scan(l.arg, &fd) || fd < 3) dieusage() ;
-          p[7] = fd ;
-          break ;
-        }
-        default : dieusage() ;
-      }
-    }
-    argc -= l.ind ; argv += l.ind ;
+    unsigned int fd ;
+    if (!uint0_scan(wgola[GOLA_RFD], &fd) || fd < 3)
+      strerr_dief3x(100, "read-fd", " must be an unsigned integer", " (3 or more)") ;
+    p[6] = fd ;
   }
-  if (!argc || p[6] == p[7]) dieusage() ;
+  if (wgola[GOLA_WFD])
+  {
+    unsigned int fd ;
+    if (!uint0_scan(wgola[GOLA_WFD], &fd) || fd < 3)
+      strerr_dief3x(100, "write-fd", " must be an unsigned integer", " (3 or more)") ;
+    p[7] = fd ;
+  }
+  if (p[6] == p[7]) strerr_dief1x(100, "read-fd and write-fd must be different") ;
+
   fd_sanitize() ;
   if (fcntl(p[6], F_GETFD) == -1 || fcntl(p[7], F_GETFD) == -1)
     strerr_diefu1sys(111, "check network fds") ;
   if (pipe(p) == -1 || pipe(p+2) == -1 || pipe(p+4) == -1)
     strerr_diefu1sys(111, "pipe") ;
-  s6tls_prep_tlscio(newargv, buf, p, coptions, verbosity, kimeout, servername) ;
+  s6tls_prep_tlscio(newargv, buf, p, wgolb & 0xf, verbosity, kimeout, wgola[GOLA_SERVERNAME]) ;
   pid = s6tls_io_spawn(newargv, p, 1) ;
   if (!pid) strerr_diefu2sys(111, "spawn ", newargv[0]) ;
-  s6tls_sync_and_exec_app(argv, p, pid, poptions) ;
+  s6tls_sync_and_exec_app(argv, p, pid, wgolb >> 4) ;
 }
diff --git a/src/tls/s6-ucspitlsc.c b/src/tls/s6-ucspitlsc.c
index cd29324..60f76de 100644
--- a/src/tls/s6-ucspitlsc.c
+++ b/src/tls/s6-ucspitlsc.c
@@ -4,13 +4,12 @@
 #include <stdint.h>
 #include <unistd.h>
 
+#include <skalibs/uint64.h>
 #include <skalibs/gccattributes.h>
 #include <skalibs/types.h>
-#include <skalibs/sgetopt.h>
-#include <skalibs/strerr.h>
 #include <skalibs/djbunix.h>
 #include <skalibs/socket.h>
-#include <skalibs/exec.h>
+#include <skalibs/envexec.h>
 
 #include <s6-networking/config.h>
 #include "s6tls-internal.h"
@@ -18,6 +17,25 @@
 #define USAGE "s6-ucspitlsc [ -S | -s ] [ -J | -j ] [ -Y | -y ] [ -v verbosity ] [ -K timeout ] [ -Z | -z ] [ -k servername ] [ -6 fdr ] [ -7 fdw ] prog..."
 #define dieusage() strerr_dieusage(100, USAGE)
 
+enum golb_e
+{
+  GOLB_CLOSENOTIFY = 0x01,
+  GOLB_STRICTCN = 0x02,
+  GOLB_CLIENTCERT = 0x04,
+  GOLB_NOVERIFY = 0x08,
+  GOLB_KEEP = 0x10,
+} ;
+
+enum gola_e
+{
+  GOLA_VERBOSITY,
+  GOLA_KIMEOUT,
+  GOLA_SERVERNAME,
+  GOLA_RFD,
+  GOLA_WFD,
+  GOLA_N
+} ;
+
 static inline void child (int *, uint32_t, unsigned int, unsigned int, char const *, pid_t) gccattr_noreturn ;
 static inline void child (int *p, uint32_t options, unsigned int verbosity, unsigned int kimeout, char const *servername, pid_t pid)
 {
@@ -67,58 +85,66 @@ static inline void child (int *p, uint32_t options, unsigned int verbosity, unsi
 
 int main (int argc, char const *const *argv, char const *const *envp)
 {
+  static gol_bool const rgolb[] =
+  {
+    { .so = 's', .lo = "no-close-notify", .clear = GOLB_CLOSENOTIFY, .set = 0 },
+    { .so = 'S', .lo = "close-notify", .clear = 0, .set = GOLB_CLOSENOTIFY },
+    { .so = 'j', .lo = "no-enforce-close-notify", .clear = GOLB_STRICTCN, .set = 0 },
+    { .so = 'J', .lo = "enforce-close-notify", .clear = 0, .set = GOLB_STRICTCN },
+    { .so = 'Y', .lo = "no-client-cert", .clear = GOLB_CLIENTCERT, .set = 0 },
+    { .so = 'y', .lo = "client-cert", .clear = 0, .set = GOLB_CLIENTCERT },
+    { .so = 'z', .lo = "no-keep", .clear = GOLB_KEEP, .set = 0 },
+    { .so = 'Z', .lo = "keep", .clear = 0, .set = GOLB_KEEP },
+    { .so = 0, .lo = "verify-cert", .clear = GOLB_NOVERIFY, .set = 0 },
+    { .so = 0, .lo = "no-verify-cert", .clear = 0, .set = GOLB_NOVERIFY },
+  } ;
+  static gol_arg const rgola[] =
+  {
+    { .so = 'v', .lo = "verbosity", .i = GOLA_VERBOSITY },
+    { .so = 'K', .lo = "kimeout", .i = GOLA_KIMEOUT },
+    { .so = 'k', .lo = "servername", .i = GOLA_SERVERNAME },
+    { .so = '6', .lo = "read-fd", .i = GOLA_RFD },
+    { .so = '7', .lo = "write-fd", .i = GOLA_WFD },
+  } ;
+
   unsigned int verbosity = 1 ;
   unsigned int kimeout = 0 ;
-  uint32_t coptions = 0 ;
   int p[8] = { [6] = 6, [7] = 7 } ;
-  uint32_t poptions = 1 ;
   pid_t pid ;
-  char const *servername = 0 ;
+  uint64_t wgolb = 0 ;
+  char const *wgola[GOLA_N] = { 0 } ;
+  unsigned int golc ;
 
   PROG = "s6-ucspitlsc (parent)" ;
+  golc = GOL_main(argc, argv, rgolb, rgola, &wgolb, wgola) ;
+  argc -= golc ; argv += golc ;
+  if (!argc) dieusage() ;
+
+  if (wgola[GOLA_VERBOSITY])
+    if (!uint0_scan(wgola[GOLA_VERBOSITY], &verbosity))
+      strerr_dief2x(100, "verbosity", " must be an unsigned integer") ;
+  if (wgola[GOLA_KIMEOUT])
+    if (!uint0_scan(wgola[GOLA_KIMEOUT], &kimeout))
+      strerr_dief2x(100, "kimeout", " must be an unsigned integer") ;
+  if (wgola[GOLA_RFD])
   {
-    subgetopt l = SUBGETOPT_ZERO ;
-    for (;;)
-    {
-      int opt = subgetopt_r(argc, argv, "SsJjyYv:K:Zzk:6:7:", &l) ;
-      if (opt == -1) break ;
-      switch (opt)
-      {
-        case 'S' : coptions |= 4 ; break ;
-        case 's' : coptions &= ~4 ; break ;
-        case 'J' : coptions |= 2 ; break ;
-        case 'j' : coptions &= ~2 ; break ;
-        case 'y' : coptions |= 1 ; break ;
-        case 'Y' : coptions &= ~1 ; break ;
-        case 'v' : if (!uint0_scan(l.arg, &verbosity)) dieusage() ; break ;
-        case 'K' : if (!uint0_scan(l.arg, &kimeout)) dieusage() ; break ;
-        case 'Z' : poptions &= ~1 ; break ;
-        case 'z' : poptions |= 1 ; break ;
-        case 'k' : servername = l.arg ; break ;
-        case '6' :
-        {
-          unsigned int fd ;
-          if (!uint0_scan(l.arg, &fd)) dieusage() ;
-          p[6] = fd ;
-          break ;
-        }
-        case '7' :
-        {
-          unsigned int fd ;
-          if (!uint0_scan(l.arg, &fd)) dieusage() ;
-          p[7] = fd ;
-          break ;
-        }
-        default : dieusage() ;
-      }
-    }
-    argc -= l.ind ; argv += l.ind ;
+    unsigned int fd ;
+    if (!uint0_scan(wgola[GOLA_RFD], &fd) || fd < 3)
+      strerr_dief3x(100, "read-fd", " must be an unsigned integer", " (3 or more)") ;
+    p[6] = fd ;
   }
-  if (!argc || p[6] == p[7]) dieusage() ;
+  if (wgola[GOLA_WFD])
+  {
+    unsigned int fd ;
+    if (!uint0_scan(wgola[GOLA_WFD], &fd) || fd < 3)
+      strerr_dief3x(100, "write-fd", " must be an unsigned integer", " (3 or more)") ;
+    p[7] = fd ;
+  }
+  if (p[6] == p[7]) strerr_dief1x(100, "read-fd and write-fd must be different") ;
+
   fd_sanitize() ;
   if (fcntl(p[6], F_GETFD) == -1 || fcntl(p[7], F_GETFD) == -1)
     strerr_diefu1sys(111, "check network fds") ;
-
   if (pipe(p) == -1 || pipe(p+2) == -1) strerr_diefu1sys(111, "pipe") ;
   if (ipc_pair_b(p+4) == -1) strerr_diefu1sys(111, "ipc_pair") ;
   pid = getpid() ;
@@ -126,8 +152,8 @@ int main (int argc, char const *const *argv, char const *const *envp)
   switch (fork())
   {
     case -1 : strerr_diefu1sys(111, "fork") ;
-    case 0 : child(p, coptions, verbosity, kimeout, servername, pid) ;
+    case 0 : child(p, wgolb & 0xf, verbosity, kimeout, wgola[GOLA_SERVERNAME], pid) ;
     default : break ;
   }
-  s6tls_ucspi_exec_app(argv, p, poptions) ;
+  s6tls_ucspi_exec_app(argv, p, wgolb >> 4) ;
 }
diff --git a/src/tls/s6tls_prep_tlscio.c b/src/tls/s6tls_prep_tlscio.c
index f56106f..d6b00fc 100644
--- a/src/tls/s6tls_prep_tlscio.c
+++ b/src/tls/s6tls_prep_tlscio.c
@@ -25,9 +25,10 @@ void s6tls_prep_tlscio (char const **argv, char *buf, int const *p, uint32_t opt
     n += uint_fmt(buf + n, p[5]) ;
     buf[n++] = 0 ;
   }
-  if (options & 4) argv[m++] = "-S" ;
+  if (options & 1) argv[m++] = "-S" ;
   if (options & 2) argv[m++] = "-J" ;
-  if (options & 1) argv[m++] = "-y" ;
+  if (options & 4) argv[m++] = "-y" ;
+  if (options & 8) argv[m++] = "--no-verify-cert" ;
   if (kimeout)
   {
     argv[m++] = "-K" ;
author	Laurent Bercot <ska-skaware@skarnet.org>	2026-04-13 03:32:51 +0000
committer	Laurent Bercot <ska-skaware@skarnet.org>	2026-04-13 03:32:51 +0000
commit	030078b7bf67a4307623f1a5c58284561ff64a56 (patch)
tree	908d840523cf84fad55753a1dc16cee31a1a0d65
parent	c2ffcd960ba55570fb701de2b9f4e2ad6e1d628d (diff)
download	s6-networking-030078b7bf67a4307623f1a5c58284561ff64a56.tar.gz