Prepare for 2.8.0.0; convert tls programs to gol, add noverifycert

author: Laurent Bercot <ska-skaware@skarnet.org> 2026-04-18 12:52:34 +0000
committer: Laurent Bercot <ska-skaware@skarnet.org> 2026-04-18 12:52:34 +0000
commit: 49a26b0671b3fbe932a0a26e9414cce6e8ef3ec2 (patch)
tree: d1a158e29649a319da157491a40f9cfdef329183
parent: 94f7c378aa7e5f261a3c9e80bfd8a12a264e7ec6 (diff)
download: s6-networking-49a26b0671b3fbe932a0a26e9414cce6e8ef3ec2.tar.gz
20 files changed, 310 insertions, 220 deletions
diff --git a/doc/index.html b/doc/index.html
index 2539894..d19c9be 100644
--- a/doc/index.html
+++ b/doc/index.html
@@ -92,8 +92,8 @@ run-time requirement if you link against its shared version. </li>
 
 <ul>
  <li> The current released version of s6-networking is
-<a href="s6-networking-2.7.3.0.tar.gz">2.7.3.0</a>.
-You can access its checksum <a href="s6-networking-2.7.3.0.tar.gz.sha256">here</a>. </li>
+<a href="s6-networking-2.8.0.0.tar.gz">2.8.0.0</a>.
+You can access its checksum <a href="s6-networking-2.8.0.0.tar.gz.sha256">here</a>. </li>
  <li> Alternatively, you can checkout a copy of the
 <a href="//git.skarnet.org/cgi-bin/cgit.cgi/s6-networking/">s6-networking
 git repository</a>:
diff --git a/doc/upgrade.html b/doc/upgrade.html
index 282e042..796d1c7 100644
--- a/doc/upgrade.html
+++ b/doc/upgrade.html
@@ -19,7 +19,7 @@
 
 <h1> What has changed in s6-networking </h1>
 
-<h2> in 2.7.3.0 </h2>
+<h2> in 2.8.0.0 </h2>
 
 <ul>
  <li> Support for disabling RPATH at configure time. </li>
diff --git a/package/deps.mak b/package/deps.mak
index e0a1dca..76eb6a9 100644
--- a/package/deps.mak
+++ b/package/deps.mak
@@ -78,7 +78,6 @@ src/sbearssl/sbearssl_x500_from_ta.o src/sbearssl/sbearssl_x500_from_ta.lo: src/
 src/sbearssl/sbearssl_x500_name_len.o src/sbearssl/sbearssl_x500_name_len.lo: src/sbearssl/sbearssl_x500_name_len.c src/include/s6-networking/sbearssl.h
 src/sbearssl/sbearssl_x509_minimal_set_tai.o src/sbearssl/sbearssl_x509_minimal_set_tai.lo: src/sbearssl/sbearssl_x509_minimal_set_tai.c src/include/s6-networking/sbearssl.h
 src/sbearssl/sbearssl_x509_small_init_full.o src/sbearssl/sbearssl_x509_small_init_full.lo: src/sbearssl/sbearssl_x509_small_init_full.c src/include/s6-networking/sbearssl.h
-src/sbearssl/sbearssl_x509_small_init_full_options.o src/sbearssl/sbearssl_x509_small_init_full_options.lo: src/sbearssl/sbearssl_x509_small_init_full_options.c src/include/s6-networking/sbearssl.h
 src/sbearssl/sbearssl_x509_small_vtable.o src/sbearssl/sbearssl_x509_small_vtable.lo: src/sbearssl/sbearssl_x509_small_vtable.c src/include/s6-networking/sbearssl.h
 src/sbearssl/sbearssl_x509_time_check.o src/sbearssl/sbearssl_x509_time_check.lo: src/sbearssl/sbearssl_x509_time_check.c src/include/s6-networking/sbearssl.h
 src/stls/stls_client_init_and_handshake.o src/stls/stls_client_init_and_handshake.lo: src/stls/stls_client_init_and_handshake.c src/include/s6-networking/stls.h src/stls/stls-internal.h
@@ -139,15 +138,15 @@ libs6net.so.xyzzy:src/libs6net/s6net_ident_client.lo src/libs6net/s6net_ident_re
 libs6net.dylib.xyzzy: EXTRA_LIBS := -lskarnet
 libs6net.dylib.xyzzy:src/libs6net/s6net_ident_client.lo src/libs6net/s6net_ident_reply_get.lo src/libs6net/s6net_ident_reply_parse.lo src/libs6net/s6net_ident_error.lo
 ifeq ($(strip $(STATIC_LIBS_ARE_PIC)),)
-libsbearssl.a.xyzzy: src/sbearssl/sbearssl_append.o src/sbearssl/sbearssl_cert_from.o src/sbearssl/sbearssl_cert_readbigpem.o src/sbearssl/sbearssl_cert_readfile.o src/sbearssl/sbearssl_cert_to.o src/sbearssl/sbearssl_choose_algos_ec.o src/sbearssl/sbearssl_choose_algos_rsa.o src/sbearssl/sbearssl_choose_hash.o src/sbearssl/sbearssl_client_init_and_run.o src/sbearssl/sbearssl_drop.o src/sbearssl/sbearssl_ec_issuer_keytype.o src/sbearssl/sbearssl_ec_pkey_from.o src/sbearssl/sbearssl_ec_pkey_to.o src/sbearssl/sbearssl_ec_skey_from.o src/sbearssl/sbearssl_ec_skey_to.o src/sbearssl/sbearssl_error_str.o src/sbearssl/sbearssl_get_keycert.o src/sbearssl/sbearssl_get_tas.o src/sbearssl/sbearssl_isder.o src/sbearssl/sbearssl_pem_decode_from_buffer.o src/sbearssl/sbearssl_pem_decode_from_string.o src/sbearssl/sbearssl_pem_push.o src/sbearssl/sbearssl_pkey_from.o src/sbearssl/sbearssl_pkey_to.o src/sbearssl/sbearssl_rsa_pkey_from.o src/sbearssl/sbearssl_rsa_pkey_to.o src/sbearssl/sbearssl_rsa_skey_from.o src/sbearssl/sbearssl_rsa_skey_to.o src/sbearssl/sbearssl_run.o src/sbearssl/sbearssl_sctx_init_full_generic.o src/sbearssl/sbearssl_sctx_set_policy_sni.o src/sbearssl/sbearssl_send_environment.o src/sbearssl/sbearssl_server_init_and_run.o src/sbearssl/sbearssl_skey_from.o src/sbearssl/sbearssl_skey_readfile.o src/sbearssl/sbearssl_skey_storagelen.o src/sbearssl/sbearssl_skey_to.o src/sbearssl/sbearssl_skey_wipe.o src/sbearssl/sbearssl_sni_policy_add_keypair_file.o src/sbearssl/sbearssl_sni_policy_init.o src/sbearssl/sbearssl_sni_policy_nkeypairs.o src/sbearssl/sbearssl_sni_policy_vtable.o src/sbearssl/sbearssl_suite_bits.o src/sbearssl/sbearssl_suite_list.o src/sbearssl/sbearssl_suite_name.o src/sbearssl/sbearssl_ta_cert.o src/sbearssl/sbearssl_ta_certs.o src/sbearssl/sbearssl_ta_from.o src/sbearssl/sbearssl_ta_readdir.o src/sbearssl/sbearssl_ta_readfile.o src/sbearssl/sbearssl_ta_to.o src/sbearssl/sbearssl_x500_from_ta.o src/sbearssl/sbearssl_x500_name_len.o src/sbearssl/sbearssl_x509_minimal_set_tai.o src/sbearssl/sbearssl_x509_small_init_full.o src/sbearssl/sbearssl_x509_small_init_full_options.o src/sbearssl/sbearssl_x509_small_vtable.o src/sbearssl/sbearssl_dayseconds_from_tai.o src/sbearssl/sbearssl_tai_from_dayseconds.o src/sbearssl/sbearssl_x509_time_check.o
+libsbearssl.a.xyzzy: src/sbearssl/sbearssl_append.o src/sbearssl/sbearssl_cert_from.o src/sbearssl/sbearssl_cert_readbigpem.o src/sbearssl/sbearssl_cert_readfile.o src/sbearssl/sbearssl_cert_to.o src/sbearssl/sbearssl_choose_algos_ec.o src/sbearssl/sbearssl_choose_algos_rsa.o src/sbearssl/sbearssl_choose_hash.o src/sbearssl/sbearssl_client_init_and_run.o src/sbearssl/sbearssl_drop.o src/sbearssl/sbearssl_ec_issuer_keytype.o src/sbearssl/sbearssl_ec_pkey_from.o src/sbearssl/sbearssl_ec_pkey_to.o src/sbearssl/sbearssl_ec_skey_from.o src/sbearssl/sbearssl_ec_skey_to.o src/sbearssl/sbearssl_error_str.o src/sbearssl/sbearssl_get_keycert.o src/sbearssl/sbearssl_get_tas.o src/sbearssl/sbearssl_isder.o src/sbearssl/sbearssl_pem_decode_from_buffer.o src/sbearssl/sbearssl_pem_decode_from_string.o src/sbearssl/sbearssl_pem_push.o src/sbearssl/sbearssl_pkey_from.o src/sbearssl/sbearssl_pkey_to.o src/sbearssl/sbearssl_rsa_pkey_from.o src/sbearssl/sbearssl_rsa_pkey_to.o src/sbearssl/sbearssl_rsa_skey_from.o src/sbearssl/sbearssl_rsa_skey_to.o src/sbearssl/sbearssl_run.o src/sbearssl/sbearssl_sctx_init_full_generic.o src/sbearssl/sbearssl_sctx_set_policy_sni.o src/sbearssl/sbearssl_send_environment.o src/sbearssl/sbearssl_server_init_and_run.o src/sbearssl/sbearssl_skey_from.o src/sbearssl/sbearssl_skey_readfile.o src/sbearssl/sbearssl_skey_storagelen.o src/sbearssl/sbearssl_skey_to.o src/sbearssl/sbearssl_skey_wipe.o src/sbearssl/sbearssl_sni_policy_add_keypair_file.o src/sbearssl/sbearssl_sni_policy_init.o src/sbearssl/sbearssl_sni_policy_nkeypairs.o src/sbearssl/sbearssl_sni_policy_vtable.o src/sbearssl/sbearssl_suite_bits.o src/sbearssl/sbearssl_suite_list.o src/sbearssl/sbearssl_suite_name.o src/sbearssl/sbearssl_ta_cert.o src/sbearssl/sbearssl_ta_certs.o src/sbearssl/sbearssl_ta_from.o src/sbearssl/sbearssl_ta_readdir.o src/sbearssl/sbearssl_ta_readfile.o src/sbearssl/sbearssl_ta_to.o src/sbearssl/sbearssl_x500_from_ta.o src/sbearssl/sbearssl_x500_name_len.o src/sbearssl/sbearssl_x509_minimal_set_tai.o src/sbearssl/sbearssl_x509_small_init_full.o src/sbearssl/sbearssl_x509_small_vtable.o src/sbearssl/sbearssl_dayseconds_from_tai.o src/sbearssl/sbearssl_tai_from_dayseconds.o src/sbearssl/sbearssl_x509_time_check.o
 else
-libsbearssl.a.xyzzy:src/sbearssl/sbearssl_append.lo src/sbearssl/sbearssl_cert_from.lo src/sbearssl/sbearssl_cert_readbigpem.lo src/sbearssl/sbearssl_cert_readfile.lo src/sbearssl/sbearssl_cert_to.lo src/sbearssl/sbearssl_choose_algos_ec.lo src/sbearssl/sbearssl_choose_algos_rsa.lo src/sbearssl/sbearssl_choose_hash.lo src/sbearssl/sbearssl_client_init_and_run.lo src/sbearssl/sbearssl_drop.lo src/sbearssl/sbearssl_ec_issuer_keytype.lo src/sbearssl/sbearssl_ec_pkey_from.lo src/sbearssl/sbearssl_ec_pkey_to.lo src/sbearssl/sbearssl_ec_skey_from.lo src/sbearssl/sbearssl_ec_skey_to.lo src/sbearssl/sbearssl_error_str.lo src/sbearssl/sbearssl_get_keycert.lo src/sbearssl/sbearssl_get_tas.lo src/sbearssl/sbearssl_isder.lo src/sbearssl/sbearssl_pem_decode_from_buffer.lo src/sbearssl/sbearssl_pem_decode_from_string.lo src/sbearssl/sbearssl_pem_push.lo src/sbearssl/sbearssl_pkey_from.lo src/sbearssl/sbearssl_pkey_to.lo src/sbearssl/sbearssl_rsa_pkey_from.lo src/sbearssl/sbearssl_rsa_pkey_to.lo src/sbearssl/sbearssl_rsa_skey_from.lo src/sbearssl/sbearssl_rsa_skey_to.lo src/sbearssl/sbearssl_run.lo src/sbearssl/sbearssl_sctx_init_full_generic.lo src/sbearssl/sbearssl_sctx_set_policy_sni.lo src/sbearssl/sbearssl_send_environment.lo src/sbearssl/sbearssl_server_init_and_run.lo src/sbearssl/sbearssl_skey_from.lo src/sbearssl/sbearssl_skey_readfile.lo src/sbearssl/sbearssl_skey_storagelen.lo src/sbearssl/sbearssl_skey_to.lo src/sbearssl/sbearssl_skey_wipe.lo src/sbearssl/sbearssl_sni_policy_add_keypair_file.lo src/sbearssl/sbearssl_sni_policy_init.lo src/sbearssl/sbearssl_sni_policy_nkeypairs.lo src/sbearssl/sbearssl_sni_policy_vtable.lo src/sbearssl/sbearssl_suite_bits.lo src/sbearssl/sbearssl_suite_list.lo src/sbearssl/sbearssl_suite_name.lo src/sbearssl/sbearssl_ta_cert.lo src/sbearssl/sbearssl_ta_certs.lo src/sbearssl/sbearssl_ta_from.lo src/sbearssl/sbearssl_ta_readdir.lo src/sbearssl/sbearssl_ta_readfile.lo src/sbearssl/sbearssl_ta_to.lo src/sbearssl/sbearssl_x500_from_ta.lo src/sbearssl/sbearssl_x500_name_len.lo src/sbearssl/sbearssl_x509_minimal_set_tai.lo src/sbearssl/sbearssl_x509_small_init_full.lo src/sbearssl/sbearssl_x509_small_init_full_options.lo src/sbearssl/sbearssl_x509_small_vtable.lo src/sbearssl/sbearssl_dayseconds_from_tai.lo src/sbearssl/sbearssl_tai_from_dayseconds.lo src/sbearssl/sbearssl_x509_time_check.lo
+libsbearssl.a.xyzzy:src/sbearssl/sbearssl_append.lo src/sbearssl/sbearssl_cert_from.lo src/sbearssl/sbearssl_cert_readbigpem.lo src/sbearssl/sbearssl_cert_readfile.lo src/sbearssl/sbearssl_cert_to.lo src/sbearssl/sbearssl_choose_algos_ec.lo src/sbearssl/sbearssl_choose_algos_rsa.lo src/sbearssl/sbearssl_choose_hash.lo src/sbearssl/sbearssl_client_init_and_run.lo src/sbearssl/sbearssl_drop.lo src/sbearssl/sbearssl_ec_issuer_keytype.lo src/sbearssl/sbearssl_ec_pkey_from.lo src/sbearssl/sbearssl_ec_pkey_to.lo src/sbearssl/sbearssl_ec_skey_from.lo src/sbearssl/sbearssl_ec_skey_to.lo src/sbearssl/sbearssl_error_str.lo src/sbearssl/sbearssl_get_keycert.lo src/sbearssl/sbearssl_get_tas.lo src/sbearssl/sbearssl_isder.lo src/sbearssl/sbearssl_pem_decode_from_buffer.lo src/sbearssl/sbearssl_pem_decode_from_string.lo src/sbearssl/sbearssl_pem_push.lo src/sbearssl/sbearssl_pkey_from.lo src/sbearssl/sbearssl_pkey_to.lo src/sbearssl/sbearssl_rsa_pkey_from.lo src/sbearssl/sbearssl_rsa_pkey_to.lo src/sbearssl/sbearssl_rsa_skey_from.lo src/sbearssl/sbearssl_rsa_skey_to.lo src/sbearssl/sbearssl_run.lo src/sbearssl/sbearssl_sctx_init_full_generic.lo src/sbearssl/sbearssl_sctx_set_policy_sni.lo src/sbearssl/sbearssl_send_environment.lo src/sbearssl/sbearssl_server_init_and_run.lo src/sbearssl/sbearssl_skey_from.lo src/sbearssl/sbearssl_skey_readfile.lo src/sbearssl/sbearssl_skey_storagelen.lo src/sbearssl/sbearssl_skey_to.lo src/sbearssl/sbearssl_skey_wipe.lo src/sbearssl/sbearssl_sni_policy_add_keypair_file.lo src/sbearssl/sbearssl_sni_policy_init.lo src/sbearssl/sbearssl_sni_policy_nkeypairs.lo src/sbearssl/sbearssl_sni_policy_vtable.lo src/sbearssl/sbearssl_suite_bits.lo src/sbearssl/sbearssl_suite_list.lo src/sbearssl/sbearssl_suite_name.lo src/sbearssl/sbearssl_ta_cert.lo src/sbearssl/sbearssl_ta_certs.lo src/sbearssl/sbearssl_ta_from.lo src/sbearssl/sbearssl_ta_readdir.lo src/sbearssl/sbearssl_ta_readfile.lo src/sbearssl/sbearssl_ta_to.lo src/sbearssl/sbearssl_x500_from_ta.lo src/sbearssl/sbearssl_x500_name_len.lo src/sbearssl/sbearssl_x509_minimal_set_tai.lo src/sbearssl/sbearssl_x509_small_init_full.lo src/sbearssl/sbearssl_x509_small_vtable.lo src/sbearssl/sbearssl_dayseconds_from_tai.lo src/sbearssl/sbearssl_tai_from_dayseconds.lo src/sbearssl/sbearssl_x509_time_check.lo
 endif
 libsbearssl.pc: EXTRA_LIBS := -lskarnet -lbearssl
 libsbearssl.so.xyzzy: EXTRA_LIBS := -lskarnet -lbearssl
-libsbearssl.so.xyzzy:src/sbearssl/sbearssl_append.lo src/sbearssl/sbearssl_cert_from.lo src/sbearssl/sbearssl_cert_readbigpem.lo src/sbearssl/sbearssl_cert_readfile.lo src/sbearssl/sbearssl_cert_to.lo src/sbearssl/sbearssl_choose_algos_ec.lo src/sbearssl/sbearssl_choose_algos_rsa.lo src/sbearssl/sbearssl_choose_hash.lo src/sbearssl/sbearssl_client_init_and_run.lo src/sbearssl/sbearssl_drop.lo src/sbearssl/sbearssl_ec_issuer_keytype.lo src/sbearssl/sbearssl_ec_pkey_from.lo src/sbearssl/sbearssl_ec_pkey_to.lo src/sbearssl/sbearssl_ec_skey_from.lo src/sbearssl/sbearssl_ec_skey_to.lo src/sbearssl/sbearssl_error_str.lo src/sbearssl/sbearssl_get_keycert.lo src/sbearssl/sbearssl_get_tas.lo src/sbearssl/sbearssl_isder.lo src/sbearssl/sbearssl_pem_decode_from_buffer.lo src/sbearssl/sbearssl_pem_decode_from_string.lo src/sbearssl/sbearssl_pem_push.lo src/sbearssl/sbearssl_pkey_from.lo src/sbearssl/sbearssl_pkey_to.lo src/sbearssl/sbearssl_rsa_pkey_from.lo src/sbearssl/sbearssl_rsa_pkey_to.lo src/sbearssl/sbearssl_rsa_skey_from.lo src/sbearssl/sbearssl_rsa_skey_to.lo src/sbearssl/sbearssl_run.lo src/sbearssl/sbearssl_sctx_init_full_generic.lo src/sbearssl/sbearssl_sctx_set_policy_sni.lo src/sbearssl/sbearssl_send_environment.lo src/sbearssl/sbearssl_server_init_and_run.lo src/sbearssl/sbearssl_skey_from.lo src/sbearssl/sbearssl_skey_readfile.lo src/sbearssl/sbearssl_skey_storagelen.lo src/sbearssl/sbearssl_skey_to.lo src/sbearssl/sbearssl_skey_wipe.lo src/sbearssl/sbearssl_sni_policy_add_keypair_file.lo src/sbearssl/sbearssl_sni_policy_init.lo src/sbearssl/sbearssl_sni_policy_nkeypairs.lo src/sbearssl/sbearssl_sni_policy_vtable.lo src/sbearssl/sbearssl_suite_bits.lo src/sbearssl/sbearssl_suite_list.lo src/sbearssl/sbearssl_suite_name.lo src/sbearssl/sbearssl_ta_cert.lo src/sbearssl/sbearssl_ta_certs.lo src/sbearssl/sbearssl_ta_from.lo src/sbearssl/sbearssl_ta_readdir.lo src/sbearssl/sbearssl_ta_readfile.lo src/sbearssl/sbearssl_ta_to.lo src/sbearssl/sbearssl_x500_from_ta.lo src/sbearssl/sbearssl_x500_name_len.lo src/sbearssl/sbearssl_x509_minimal_set_tai.lo src/sbearssl/sbearssl_x509_small_init_full.lo src/sbearssl/sbearssl_x509_small_init_full_options.lo src/sbearssl/sbearssl_x509_small_vtable.lo src/sbearssl/sbearssl_dayseconds_from_tai.lo src/sbearssl/sbearssl_tai_from_dayseconds.lo src/sbearssl/sbearssl_x509_time_check.lo
+libsbearssl.so.xyzzy:src/sbearssl/sbearssl_append.lo src/sbearssl/sbearssl_cert_from.lo src/sbearssl/sbearssl_cert_readbigpem.lo src/sbearssl/sbearssl_cert_readfile.lo src/sbearssl/sbearssl_cert_to.lo src/sbearssl/sbearssl_choose_algos_ec.lo src/sbearssl/sbearssl_choose_algos_rsa.lo src/sbearssl/sbearssl_choose_hash.lo src/sbearssl/sbearssl_client_init_and_run.lo src/sbearssl/sbearssl_drop.lo src/sbearssl/sbearssl_ec_issuer_keytype.lo src/sbearssl/sbearssl_ec_pkey_from.lo src/sbearssl/sbearssl_ec_pkey_to.lo src/sbearssl/sbearssl_ec_skey_from.lo src/sbearssl/sbearssl_ec_skey_to.lo src/sbearssl/sbearssl_error_str.lo src/sbearssl/sbearssl_get_keycert.lo src/sbearssl/sbearssl_get_tas.lo src/sbearssl/sbearssl_isder.lo src/sbearssl/sbearssl_pem_decode_from_buffer.lo src/sbearssl/sbearssl_pem_decode_from_string.lo src/sbearssl/sbearssl_pem_push.lo src/sbearssl/sbearssl_pkey_from.lo src/sbearssl/sbearssl_pkey_to.lo src/sbearssl/sbearssl_rsa_pkey_from.lo src/sbearssl/sbearssl_rsa_pkey_to.lo src/sbearssl/sbearssl_rsa_skey_from.lo src/sbearssl/sbearssl_rsa_skey_to.lo src/sbearssl/sbearssl_run.lo src/sbearssl/sbearssl_sctx_init_full_generic.lo src/sbearssl/sbearssl_sctx_set_policy_sni.lo src/sbearssl/sbearssl_send_environment.lo src/sbearssl/sbearssl_server_init_and_run.lo src/sbearssl/sbearssl_skey_from.lo src/sbearssl/sbearssl_skey_readfile.lo src/sbearssl/sbearssl_skey_storagelen.lo src/sbearssl/sbearssl_skey_to.lo src/sbearssl/sbearssl_skey_wipe.lo src/sbearssl/sbearssl_sni_policy_add_keypair_file.lo src/sbearssl/sbearssl_sni_policy_init.lo src/sbearssl/sbearssl_sni_policy_nkeypairs.lo src/sbearssl/sbearssl_sni_policy_vtable.lo src/sbearssl/sbearssl_suite_bits.lo src/sbearssl/sbearssl_suite_list.lo src/sbearssl/sbearssl_suite_name.lo src/sbearssl/sbearssl_ta_cert.lo src/sbearssl/sbearssl_ta_certs.lo src/sbearssl/sbearssl_ta_from.lo src/sbearssl/sbearssl_ta_readdir.lo src/sbearssl/sbearssl_ta_readfile.lo src/sbearssl/sbearssl_ta_to.lo src/sbearssl/sbearssl_x500_from_ta.lo src/sbearssl/sbearssl_x500_name_len.lo src/sbearssl/sbearssl_x509_minimal_set_tai.lo src/sbearssl/sbearssl_x509_small_init_full.lo src/sbearssl/sbearssl_x509_small_vtable.lo src/sbearssl/sbearssl_dayseconds_from_tai.lo src/sbearssl/sbearssl_tai_from_dayseconds.lo src/sbearssl/sbearssl_x509_time_check.lo
 libsbearssl.dylib.xyzzy: EXTRA_LIBS := -lskarnet -lbearssl
-libsbearssl.dylib.xyzzy:src/sbearssl/sbearssl_append.lo src/sbearssl/sbearssl_cert_from.lo src/sbearssl/sbearssl_cert_readbigpem.lo src/sbearssl/sbearssl_cert_readfile.lo src/sbearssl/sbearssl_cert_to.lo src/sbearssl/sbearssl_choose_algos_ec.lo src/sbearssl/sbearssl_choose_algos_rsa.lo src/sbearssl/sbearssl_choose_hash.lo src/sbearssl/sbearssl_client_init_and_run.lo src/sbearssl/sbearssl_drop.lo src/sbearssl/sbearssl_ec_issuer_keytype.lo src/sbearssl/sbearssl_ec_pkey_from.lo src/sbearssl/sbearssl_ec_pkey_to.lo src/sbearssl/sbearssl_ec_skey_from.lo src/sbearssl/sbearssl_ec_skey_to.lo src/sbearssl/sbearssl_error_str.lo src/sbearssl/sbearssl_get_keycert.lo src/sbearssl/sbearssl_get_tas.lo src/sbearssl/sbearssl_isder.lo src/sbearssl/sbearssl_pem_decode_from_buffer.lo src/sbearssl/sbearssl_pem_decode_from_string.lo src/sbearssl/sbearssl_pem_push.lo src/sbearssl/sbearssl_pkey_from.lo src/sbearssl/sbearssl_pkey_to.lo src/sbearssl/sbearssl_rsa_pkey_from.lo src/sbearssl/sbearssl_rsa_pkey_to.lo src/sbearssl/sbearssl_rsa_skey_from.lo src/sbearssl/sbearssl_rsa_skey_to.lo src/sbearssl/sbearssl_run.lo src/sbearssl/sbearssl_sctx_init_full_generic.lo src/sbearssl/sbearssl_sctx_set_policy_sni.lo src/sbearssl/sbearssl_send_environment.lo src/sbearssl/sbearssl_server_init_and_run.lo src/sbearssl/sbearssl_skey_from.lo src/sbearssl/sbearssl_skey_readfile.lo src/sbearssl/sbearssl_skey_storagelen.lo src/sbearssl/sbearssl_skey_to.lo src/sbearssl/sbearssl_skey_wipe.lo src/sbearssl/sbearssl_sni_policy_add_keypair_file.lo src/sbearssl/sbearssl_sni_policy_init.lo src/sbearssl/sbearssl_sni_policy_nkeypairs.lo src/sbearssl/sbearssl_sni_policy_vtable.lo src/sbearssl/sbearssl_suite_bits.lo src/sbearssl/sbearssl_suite_list.lo src/sbearssl/sbearssl_suite_name.lo src/sbearssl/sbearssl_ta_cert.lo src/sbearssl/sbearssl_ta_certs.lo src/sbearssl/sbearssl_ta_from.lo src/sbearssl/sbearssl_ta_readdir.lo src/sbearssl/sbearssl_ta_readfile.lo src/sbearssl/sbearssl_ta_to.lo src/sbearssl/sbearssl_x500_from_ta.lo src/sbearssl/sbearssl_x500_name_len.lo src/sbearssl/sbearssl_x509_minimal_set_tai.lo src/sbearssl/sbearssl_x509_small_init_full.lo src/sbearssl/sbearssl_x509_small_init_full_options.lo src/sbearssl/sbearssl_x509_small_vtable.lo src/sbearssl/sbearssl_dayseconds_from_tai.lo src/sbearssl/sbearssl_tai_from_dayseconds.lo src/sbearssl/sbearssl_x509_time_check.lo
+libsbearssl.dylib.xyzzy:src/sbearssl/sbearssl_append.lo src/sbearssl/sbearssl_cert_from.lo src/sbearssl/sbearssl_cert_readbigpem.lo src/sbearssl/sbearssl_cert_readfile.lo src/sbearssl/sbearssl_cert_to.lo src/sbearssl/sbearssl_choose_algos_ec.lo src/sbearssl/sbearssl_choose_algos_rsa.lo src/sbearssl/sbearssl_choose_hash.lo src/sbearssl/sbearssl_client_init_and_run.lo src/sbearssl/sbearssl_drop.lo src/sbearssl/sbearssl_ec_issuer_keytype.lo src/sbearssl/sbearssl_ec_pkey_from.lo src/sbearssl/sbearssl_ec_pkey_to.lo src/sbearssl/sbearssl_ec_skey_from.lo src/sbearssl/sbearssl_ec_skey_to.lo src/sbearssl/sbearssl_error_str.lo src/sbearssl/sbearssl_get_keycert.lo src/sbearssl/sbearssl_get_tas.lo src/sbearssl/sbearssl_isder.lo src/sbearssl/sbearssl_pem_decode_from_buffer.lo src/sbearssl/sbearssl_pem_decode_from_string.lo src/sbearssl/sbearssl_pem_push.lo src/sbearssl/sbearssl_pkey_from.lo src/sbearssl/sbearssl_pkey_to.lo src/sbearssl/sbearssl_rsa_pkey_from.lo src/sbearssl/sbearssl_rsa_pkey_to.lo src/sbearssl/sbearssl_rsa_skey_from.lo src/sbearssl/sbearssl_rsa_skey_to.lo src/sbearssl/sbearssl_run.lo src/sbearssl/sbearssl_sctx_init_full_generic.lo src/sbearssl/sbearssl_sctx_set_policy_sni.lo src/sbearssl/sbearssl_send_environment.lo src/sbearssl/sbearssl_server_init_and_run.lo src/sbearssl/sbearssl_skey_from.lo src/sbearssl/sbearssl_skey_readfile.lo src/sbearssl/sbearssl_skey_storagelen.lo src/sbearssl/sbearssl_skey_to.lo src/sbearssl/sbearssl_skey_wipe.lo src/sbearssl/sbearssl_sni_policy_add_keypair_file.lo src/sbearssl/sbearssl_sni_policy_init.lo src/sbearssl/sbearssl_sni_policy_nkeypairs.lo src/sbearssl/sbearssl_sni_policy_vtable.lo src/sbearssl/sbearssl_suite_bits.lo src/sbearssl/sbearssl_suite_list.lo src/sbearssl/sbearssl_suite_name.lo src/sbearssl/sbearssl_ta_cert.lo src/sbearssl/sbearssl_ta_certs.lo src/sbearssl/sbearssl_ta_from.lo src/sbearssl/sbearssl_ta_readdir.lo src/sbearssl/sbearssl_ta_readfile.lo src/sbearssl/sbearssl_ta_to.lo src/sbearssl/sbearssl_x500_from_ta.lo src/sbearssl/sbearssl_x500_name_len.lo src/sbearssl/sbearssl_x509_minimal_set_tai.lo src/sbearssl/sbearssl_x509_small_init_full.lo src/sbearssl/sbearssl_x509_small_vtable.lo src/sbearssl/sbearssl_dayseconds_from_tai.lo src/sbearssl/sbearssl_tai_from_dayseconds.lo src/sbearssl/sbearssl_x509_time_check.lo
 ifeq ($(strip $(STATIC_LIBS_ARE_PIC)),)
 libstls.a.xyzzy: src/stls/stls_drop.o src/stls/stls_handshake.o src/stls/stls_run.o src/stls/stls_client_init_and_handshake.o src/stls/stls_server_init_and_handshake.o src/stls/stls_send_environment.o
 else
diff --git a/package/info b/package/info
index aac1f02..3b8bbfc 100644
--- a/package/info
+++ b/package/info
@@ -1,4 +1,4 @@
 package=s6-networking
-version=2.7.3.0
+version=2.8.0.0
 category=net
 package_macro_name=S6_NETWORKING
diff --git a/src/include/s6-networking/sbearssl.h b/src/include/s6-networking/sbearssl.h
index 06815a8..017d38b 100644
--- a/src/include/s6-networking/sbearssl.h
+++ b/src/include/s6-networking/sbearssl.h
@@ -74,8 +74,7 @@ extern int sbearssl_x509_minimal_set_tai (br_x509_minimal_context *, tai const *
 extern int sbearssl_x509_time_check (void *, uint32_t, uint32_t, uint32_t, uint32_t) ;  /* br_x509_time_check */
 
 extern br_x509_class const sbearssl_x509_small_vtable ;
-extern void sbearssl_x509_small_init_full (sbearssl_x509_small_context *, br_x509_trust_anchor *, size_t, sbearssl_dn *, uint8_t *, char *) ;
-extern void sbearssl_x509_small_init_full_options (sbearssl_x509_small_context *, br_x509_trust_anchor *, size_t, sbearssl_dn *, uint8_t *, char *, uint32_t) ;
+extern void sbearssl_x509_small_init_full (sbearssl_x509_small_context *, br_x509_trust_anchor *, size_t, sbearssl_dn *, uint8_t *, char *, uint32_t) ;
 
 
  /* Cipher suites */
diff --git a/src/sbearssl/deps-lib/sbearssl b/src/sbearssl/deps-lib/sbearssl
index cab0e36..ca68ead 100644
--- a/src/sbearssl/deps-lib/sbearssl
+++ b/src/sbearssl/deps-lib/sbearssl
@@ -53,7 +53,6 @@ sbearssl_x500_from_ta.o
 sbearssl_x500_name_len.o
 sbearssl_x509_minimal_set_tai.o
 sbearssl_x509_small_init_full.o
-sbearssl_x509_small_init_full_options.o
 sbearssl_x509_small_vtable.o
 sbearssl_dayseconds_from_tai.o
 sbearssl_tai_from_dayseconds.o
diff --git a/src/sbearssl/sbearssl_client_init_and_run.c b/src/sbearssl/sbearssl_client_init_and_run.c
index 5dc764f..63f4bbd 100644
--- a/src/sbearssl/sbearssl_client_init_and_run.c
+++ b/src/sbearssl/sbearssl_client_init_and_run.c
@@ -45,7 +45,7 @@ void sbearssl_client_init_and_run (int *fds, tain const *tto, uint32_t preoption
       br_x509_minimal_context dummy ; /* wasteful but the only simple API we have */
       br_ssl_client_init_full(&cc, &dummy, btas, n) ;
     }
-    sbearssl_x509_small_init_full_options(&xc, btas, n, &cbarg->eedn, &cbarg->eltstatus, cbarg->eehash, !!(preoptions & 2)) ;
+    sbearssl_x509_small_init_full(&xc, btas, n, &cbarg->eedn, &cbarg->eltstatus, cbarg->eehash, !!(preoptions & 2)) ;
     if (!sbearssl_x509_small_set_tain_g(&xc))
       strerr_diefu1sys(111, "initialize validation time") ;
     br_ssl_engine_set_x509(&cc.eng, &xc.vtable) ;
diff --git a/src/sbearssl/sbearssl_server_init_and_run.c b/src/sbearssl/sbearssl_server_init_and_run.c
index 248a18a..9efa53a 100644
--- a/src/sbearssl/sbearssl_server_init_and_run.c
+++ b/src/sbearssl/sbearssl_server_init_and_run.c
@@ -99,7 +99,7 @@ void sbearssl_server_init_and_run (int *fds, tain const *tto, uint32_t preoption
       for (size_t i = 0 ; i < n ; i++)
         sbearssl_ta_to(genalloc_s(sbearssl_ta, &tas) + i, btas + i, tastorage.s) ;
       genalloc_free(sbearssl_ta, &tas) ;
-      sbearssl_x509_small_init_full(&xc, btas, n, &cbarg->eedn, &cbarg->eltstatus, cbarg->eehash) ;
+      sbearssl_x509_small_init_full(&xc, btas, n, &cbarg->eedn, &cbarg->eltstatus, cbarg->eehash, 0) ;
       if (!sbearssl_x509_small_set_tain_g(&xc))
         strerr_diefu1sys(111, "initialize validation time") ;
       br_ssl_engine_set_default_rsavrfy(&sc.eng) ;
diff --git a/src/sbearssl/sbearssl_x509_small_init_full.c b/src/sbearssl/sbearssl_x509_small_init_full.c
index 1ed879f..063afd3 100644
--- a/src/sbearssl/sbearssl_x509_small_init_full.c
+++ b/src/sbearssl/sbearssl_x509_small_init_full.c
@@ -1,8 +1,46 @@
 /* ISC license. */
 
+#include <stddef.h>
+#include <stdint.h>
+
+#include <bearssl.h>
+
+#include <skalibs/tai.h>
+
 #include <s6-networking/sbearssl.h>
 
-void sbearssl_x509_small_init_full (sbearssl_x509_small_context *ctx, br_x509_trust_anchor *btas, size_t n, sbearssl_dn *eedn, uint8_t *eltstatus, char *eehash)
+struct eltinfo_s
+{
+  size_t offset ;
+  size_t size ;
+  unsigned char oid[4] ;
+} ;
+
+static struct eltinfo_s const eltinfo[6] =
+{
+  { .offset = offsetof(sbearssl_dn, c),  .size = sizeof(((sbearssl_dn *)0)->c),  .oid = "\x03\x55\x04\x06" },
+  { .offset = offsetof(sbearssl_dn, st), .size = sizeof(((sbearssl_dn *)0)->st), .oid = "\x03\x55\x04\x08" },
+  { .offset = offsetof(sbearssl_dn, l),  .size = sizeof(((sbearssl_dn *)0)->l),  .oid = "\x03\x55\x04\x07" },
+  { .offset = offsetof(sbearssl_dn, o),  .size = sizeof(((sbearssl_dn *)0)->o),  .oid = "\x03\x55\x04\x0a" },
+  { .offset = offsetof(sbearssl_dn, ou), .size = sizeof(((sbearssl_dn *)0)->ou), .oid = "\x03\x55\x04\x0b" },
+  { .offset = offsetof(sbearssl_dn, cn), .size = sizeof(((sbearssl_dn *)0)->cn), .oid = "\x03\x55\x04\x03" }
+} ;
+
+void sbearssl_x509_small_init_full (sbearssl_x509_small_context *ctx, br_x509_trust_anchor *btas, size_t n, sbearssl_dn *eedn, uint8_t *eltstatus, char *eehash, uint32_t flags)
 {
-  return sbearssl_x509_small_init_full_options(ctx, btas, n, eedn, eltstatus, eehash, 0) ;
+  ctx->vtable = &sbearssl_x509_small_vtable ;
+  br_x509_minimal_init_full(&ctx->minimal, btas, n) ;
+#ifdef BR_FEATURE_X509_TIME_CALLBACK
+  br_x509_minimal_set_time_callback(&ctx->minimal, tain_secp(&STAMP), &sbearssl_x509_time_check) ;
+#endif
+  for (unsigned int i = 0 ; i < 6 ; i++)
+  {
+    ctx->elts[i].oid = eltinfo[i].oid ;
+    ctx->elts[i].buf = (char *)eedn + eltinfo[i].offset ;
+    ctx->elts[i].len = eltinfo[i].size ;
+  }
+  br_x509_minimal_set_name_elements(&ctx->minimal, ctx->elts, 6) ;
+  ctx->eltstatus = eltstatus ;
+  ctx->eehash = eehash ;
+  ctx->flags = flags ;
 }
diff --git a/src/sbearssl/sbearssl_x509_small_init_full_options.c b/src/sbearssl/sbearssl_x509_small_init_full_options.c
deleted file mode 100644
index ca8069b..0000000
--- a/src/sbearssl/sbearssl_x509_small_init_full_options.c
+++ /dev/null
@@ -1,46 +0,0 @@
-/* ISC license. */
-
-#include <stddef.h>
-#include <stdint.h>
-
-#include <bearssl.h>
-
-#include <skalibs/tai.h>
-
-#include <s6-networking/sbearssl.h>
-
-struct eltinfo_s
-{
-  size_t offset ;
-  size_t size ;
-  unsigned char oid[4] ;
-} ;
-
-static struct eltinfo_s const eltinfo[6] =
-{
-  { .offset = offsetof(sbearssl_dn, c),  .size = sizeof(((sbearssl_dn *)0)->c),  .oid = "\x03\x55\x04\x06" },
-  { .offset = offsetof(sbearssl_dn, st), .size = sizeof(((sbearssl_dn *)0)->st), .oid = "\x03\x55\x04\x08" },
-  { .offset = offsetof(sbearssl_dn, l),  .size = sizeof(((sbearssl_dn *)0)->l),  .oid = "\x03\x55\x04\x07" },
-  { .offset = offsetof(sbearssl_dn, o),  .size = sizeof(((sbearssl_dn *)0)->o),  .oid = "\x03\x55\x04\x0a" },
-  { .offset = offsetof(sbearssl_dn, ou), .size = sizeof(((sbearssl_dn *)0)->ou), .oid = "\x03\x55\x04\x0b" },
-  { .offset = offsetof(sbearssl_dn, cn), .size = sizeof(((sbearssl_dn *)0)->cn), .oid = "\x03\x55\x04\x03" }
-} ;
-
-void sbearssl_x509_small_init_full_options (sbearssl_x509_small_context *ctx, br_x509_trust_anchor *btas, size_t n, sbearssl_dn *eedn, uint8_t *eltstatus, char *eehash, uint32_t flags)
-{
-  ctx->vtable = &sbearssl_x509_small_vtable ;
-  br_x509_minimal_init_full(&ctx->minimal, btas, n) ;
-#ifdef BR_FEATURE_X509_TIME_CALLBACK
-  br_x509_minimal_set_time_callback(&ctx->minimal, tain_secp(&STAMP), &sbearssl_x509_time_check) ;
-#endif
-  for (unsigned int i = 0 ; i < 6 ; i++)
-  {
-    ctx->elts[i].oid = eltinfo[i].oid ;
-    ctx->elts[i].buf = (char *)eedn + eltinfo[i].offset ;
-    ctx->elts[i].len = eltinfo[i].size ;
-  }
-  br_x509_minimal_set_name_elements(&ctx->minimal, ctx->elts, 6) ;
-  ctx->eltstatus = eltstatus ;
-  ctx->eehash = eehash ;
-  ctx->flags = flags ;
-}
diff --git a/src/tls/s6-tlsc-io.c b/src/tls/s6-tlsc-io.c
index 9098fdc..5dc56f8 100644
--- a/src/tls/s6-tlsc-io.c
+++ b/src/tls/s6-tlsc-io.c
@@ -98,7 +98,7 @@ int main (int argc, char const *const *argv, char const *const *envp)
   static gol_arg const rgola[] =
   {
     { .so = 'v', .lo = "verbosity", .i = GOLA_VERBOSITY },
-    { .so = 'K', .lo = "kimeout", .i = GOLA_KIMEOUT },
+    { .so = 'K', .lo = "handshake-timeout", .i = GOLA_KIMEOUT },
     { .so = 'k', .lo = "servername", .i = GOLA_SERVERNAME },
     { .so = 'd', .lo = "notification-fd", .i = GOLA_NOTIF },
   } ;
@@ -122,7 +122,7 @@ int main (int argc, char const *const *argv, char const *const *envp)
   {
     unsigned int kimeout ;
     if (!uint0_scan(wgola[GOLA_KIMEOUT], &kimeout))
-      strerr_dief2x(100, "kimeout", " must be an unsigned integer") ;
+      strerr_dief2x(100, "handshake-timeout", " must be an unsigned integer") ;
     if (kimeout) tain_from_millisecs(&tto, kimeout) ;
   }
   if (wgola[GOLA_NOTIF])
diff --git a/src/tls/s6-tlsc.c b/src/tls/s6-tlsc.c
index 2308a52..48a94ff 100644
--- a/src/tls/s6-tlsc.c
+++ b/src/tls/s6-tlsc.c
@@ -50,7 +50,7 @@ int main (int argc, char const *const *argv)
   static gol_arg const rgola[] =
   {
     { .so = 'v', .lo = "verbosity", .i = GOLA_VERBOSITY },
-    { .so = 'K', .lo = "kimeout", .i = GOLA_KIMEOUT },
+    { .so = 'K', .lo = "handshake-timeout", .i = GOLA_KIMEOUT },
     { .so = 'k', .lo = "servername", .i = GOLA_SERVERNAME },
     { .so = '6', .lo = "read-fd", .i = GOLA_RFD },
     { .so = '7', .lo = "write-fd", .i = GOLA_WFD },
@@ -75,7 +75,7 @@ int main (int argc, char const *const *argv)
       strerr_dief2x(100, "verbosity", " must be an unsigned integer") ;
   if (wgola[GOLA_KIMEOUT])
     if (!uint0_scan(wgola[GOLA_KIMEOUT], &kimeout))
-      strerr_dief2x(100, "kimeout", " must be an unsigned integer") ;
+      strerr_dief2x(100, "handshake-timeout", " must be an unsigned integer") ;
   if (wgola[GOLA_RFD])
   {
     unsigned int fd ;
diff --git a/src/tls/s6-tlsclient.c b/src/tls/s6-tlsclient.c
index 00cd58a..ba3caf4 100644
--- a/src/tls/s6-tlsclient.c
+++ b/src/tls/s6-tlsclient.c
@@ -102,7 +102,7 @@ int main (int argc, char const *const *argv)
   static gol_arg const rgola[] =
   {
     { .so = 't', .lo = "timeout", .i = GOLA_TIMEOUT },
-    { .so = 'l', .lo = "localname", .i = GOLA_LOCALNAME },
+    { .so = 'l', .lo = "local-name", .i = GOLA_LOCALNAME },
     { .so = 'T', .lo = "connection-timeouts", .i = GOLA_XYIMEOUT },
     { .so = 'i', .lo = "local-ip", .i = GOLA_IP },
     { .so = 'p', .lo = "local-port", .i = GOLA_PORT },
diff --git a/src/tls/s6-tlsd-io.c b/src/tls/s6-tlsd-io.c
index 08eee77..98b3a19 100644
--- a/src/tls/s6-tlsd-io.c
+++ b/src/tls/s6-tlsd-io.c
@@ -3,10 +3,12 @@
 #include <stdint.h>
 #include <signal.h>
 
+#include <skalibs/uint64.h>
 #include <skalibs/gccattributes.h>
 #include <skalibs/types.h>
-#include <skalibs/sgetopt.h>
+#include <skalibs/prog.h>
 #include <skalibs/strerr.h>
+#include <skalibs/gol.h>
 #include <skalibs/tai.h>
 #include <skalibs/sig.h>
 #include <skalibs/djbunix.h>
@@ -16,6 +18,25 @@
 #define USAGE "s6-tlsd-io [ -v verbosity ] [ -d notif ] [ -S | -s ] [ -J | -j ] [ -Y | -y ] [ -K timeout ] [ -k snilevel ] fdr fdw"
 #define dieusage() strerr_dieusage(100, USAGE)
 
+enum golb_e
+{
+  GOLB_CLOSENOTIFY = 0x01,
+  GOLB_STRICTCN = 0x02,
+  GOLB_CLIENTCERT = 0x10,
+  GOLB_CLIENTCERT_ONLY = 0x20,
+  GOLB_SNI = 0x40,
+  GOLB_SNI_ONLY = 0x80,
+} ;
+
+enum gola_e
+{
+  GOLA_VERBOSITY,
+  GOLA_KIMEOUT,
+  GOLA_SNILEVEL,
+  GOLA_NOTIF,
+  GOLA_N
+} ;
+
 static inline void doit (int *, tain const *tto, uint32_t, uint32_t, unsigned int, unsigned int) gccattr_noreturn ;
 
 #ifdef S6_NETWORKING_USE_TLS
@@ -65,47 +86,59 @@ static inline void doit (int *fds, tain const *tto, uint32_t preoptions, uint32_
 
 int main (int argc, char const *const *argv)
 {
-  tain tto ;
+  static gol_bool const rgolb[] =
+  {
+    { .so = 's', .lo = "no-close-notify", .clear = GOLB_CLOSENOTIFY, .set = 0 },
+    { .so = 'S', .lo = "close-notify", .clear = 0, .set = GOLB_CLOSENOTIFY },
+    { .so = 'j', .lo = "no-enforce-close-notify", .clear = GOLB_STRICTCN, .set = 0 },
+    { .so = 'J', .lo = "enforce-close-notify", .clear = 0, .set = GOLB_STRICTCN },
+    { .so = 'Y', .lo = "client-cert", .clear = GOLB_CLIENTCERT_ONLY, .set = GOLB_CLIENTCERT },
+    { .so = 'y', .lo = "mandatory-client-cert", .clear = 0, .set = GOLB_CLIENTCERT | GOLB_CLIENTCERT_ONLY },
+    { .so = 0, .lo = "sni", .clear = GOLB_SNI_ONLY, .set = GOLB_SNI },
+    { .so = 0, .lo = "mandatory-sni", .clear = 0, .set = GOLB_SNI | GOLB_SNI_ONLY },
+  } ;
+  static gol_arg const rgola[] =
+  {
+    { .so = 'v', .lo = "verbosity", .i = GOLA_VERBOSITY },
+    { .so = 'K', .lo = "handshake-timeout", .i = GOLA_KIMEOUT },
+    { .so = 'k', .lo = "sni-level", .i = GOLA_SNILEVEL },
+    { .so = 'd', .lo = "notification-fd", .i = GOLA_NOTIF },
+  } ;
   int fds[4] = { [2] = 0, [3] = 1 } ;
+  tain tto = TAIN_INFINITE_RELATIVE ;
   unsigned int verbosity = 1 ;
   unsigned int notif = 0 ;
-  uint32_t preoptions = 0 ;
-  uint32_t options = 0 ;
-
+  uint64_t wgolb = 0 ;
+  char const *wgola[GOLA_N] = { 0 } ;
+  unsigned int golc ;
   PROG = "s6-tlsd-io" ;
+
+  golc = GOL_main(argc, argv, rgolb, rgola, &wgolb, wgola) ;
+  argc -= golc ; argv += golc ;
+  if (argc < 2) dieusage() ;
+
+  if (wgola[GOLA_VERBOSITY])
+    if (!uint0_scan(wgola[GOLA_VERBOSITY], &verbosity))
+      strerr_dief2x(100, "verbosity", " must be an unsigned integer") ;
+  if (wgola[GOLA_KIMEOUT])
   {
-    subgetopt l = SUBGETOPT_ZERO ;
-    unsigned int t = 0 ;
-    for (;;)
-    {
-      int opt = subgetopt_r(argc, argv, "d:SsJjYyv:K:k:", &l) ;
-      if (opt == -1) break ;
-      switch (opt)
-      {
-        case 'v' : if (!uint0_scan(l.arg, &verbosity)) dieusage() ; break ;
-        case 'd' : if (!uint0_scan(l.arg, &notif)) dieusage() ; break ;
-        case 'S' : options |= 1 ; break ;
-        case 's' : options &= ~1 ; break ;
-        case 'J' : options |= 2 ; break ;
-        case 'j' : options &= ~2 ; break ;
-        case 'Y' : preoptions |= 1 ; preoptions &= ~2 ; break ;
-        case 'y' : preoptions |= 3 ; break ;
-        case 'K' : if (!uint0_scan(l.arg, &t)) dieusage() ; break ;
-        case 'k' :
-        {
-          unsigned int snilevel ;
-          if (!uint0_scan(l.arg, &snilevel)) dieusage() ;
-          if (snilevel) preoptions |= 4 ;
-          if (snilevel >= 2) preoptions |= 8 ;
-          break ;
-        }
-        default : dieusage() ;
-      }
-    }
-    argc -= l.ind ; argv += l.ind ;
-    if (t) tain_from_millisecs(&tto, t) ; else tto = tain_infinite_relative ;
+    unsigned int kimeout ;
+    if (!uint0_scan(wgola[GOLA_KIMEOUT], &kimeout))
+      strerr_dief2x(100, "handshake-timeout", " must be an unsigned integer") ;
+    if (kimeout) tain_from_millisecs(&tto, kimeout) ;
   }
-  if (argc < 2) dieusage() ;
+  if (wgola[GOLA_SNILEVEL])
+  {
+    unsigned int snilevel ;
+    if (!uint0_scan(wgola[GOLA_SNILEVEL], &snilevel))
+      strerr_dief2x(100, "sni-level", " must be an unsigned integer") ;
+    wgolb &= ~(GOLB_SNI | GOLB_SNI_ONLY) ;
+    wgolb |= (snilevel ? GOLB_SNI : 0) | (snilevel >= 2 ? GOLB_SNI_ONLY : 0) ;
+  }
+  if (wgola[GOLA_NOTIF])
+    if (!uint0_scan(wgola[GOLA_NOTIF], &notif))
+      strerr_dief2x(100, "notification-fd", " must be an unsigned integer") ;
+
   {
     unsigned int u ;
     if (!uint0_scan(argv[0], &u)) dieusage() ;
@@ -116,5 +149,5 @@ int main (int argc, char const *const *argv)
 
   if (!sig_ignore(SIGPIPE)) strerr_diefu1sys(111, "ignore SIGPIPE") ;
   tain_now_set_stopwatch_g() ;
-  doit(fds, &tto, preoptions, options, verbosity, notif) ;
+  doit(fds, &tto, wgolb >> 4, wgolb & 0xf, verbosity, notif) ;
 }
diff --git a/src/tls/s6-tlsd.c b/src/tls/s6-tlsd.c
index acd2945..7d144f8 100644
--- a/src/tls/s6-tlsd.c
+++ b/src/tls/s6-tlsd.c
@@ -3,57 +3,91 @@
 #include <stdint.h>
 #include <unistd.h>
 
+#include <skalibs/uint64.h>
 #include <skalibs/types.h>
-#include <skalibs/sgetopt.h>
+#include <skalibs/prog.h>
 #include <skalibs/strerr.h>
+#include <skalibs/gol.h>
 
 #include "s6tls-internal.h"
 
 #define USAGE "s6-tlsd [ -S | -s ] [ -J | -j ] [ -Y | -y ] [ -k snilevel ] [ -v verbosity ] [ -K timeout ] [ -Z | -z ] prog..."
 #define dieusage() strerr_dieusage(100, USAGE)
 
+enum golb_e
+{
+  GOLB_CLOSENOTIFY = 0x0001,
+  GOLB_STRICTCN = 0x0002,
+  GOLB_CLIENTCERT = 0x0004,
+  GOLB_CLIENTCERT_ONLY = 0x0008,
+  GOLB_SNI = 0x0010,
+  GOLB_SNI_ONLY = 0x0020,
+  GOLB_KEEP = 0x100,
+} ;
+
+enum gola_e
+{
+  GOLA_VERBOSITY,
+  GOLA_KIMEOUT,
+  GOLA_SNILEVEL,
+  GOLA_N
+} ;
+
 int main (int argc, char const *const *argv)
 {
+  static gol_bool const rgolb[] =
+  {
+    { .so = 's', .lo = "no-close-notify", .clear = GOLB_CLOSENOTIFY, .set = 0 },
+    { .so = 'S', .lo = "close-notify", .clear = 0, .set = GOLB_CLOSENOTIFY },
+    { .so = 'j', .lo = "no-enforce-close-notify", .clear = GOLB_STRICTCN, .set = 0 },
+    { .so = 'J', .lo = "enforce-close-notify", .clear = 0, .set = GOLB_STRICTCN },
+    { .so = 'Y', .lo = "client-cert", .clear = GOLB_CLIENTCERT_ONLY, .set = GOLB_CLIENTCERT },
+    { .so = 'y', .lo = "mandatory-client-cert", .clear = 0, .set = GOLB_CLIENTCERT | GOLB_CLIENTCERT_ONLY },
+    { .so = 'z', .lo = "no-keep", .clear = GOLB_KEEP, .set = 0 },
+    { .so = 'Z', .lo = "keep", .clear = 0, .set = GOLB_KEEP },
+    { .so = 0, .lo = "sni", .clear = GOLB_SNI_ONLY, .set = GOLB_SNI },
+    { .so = 0, .lo = "mandatory-sni", .clear = 0, .set = GOLB_SNI | GOLB_SNI_ONLY },
+  } ;
+  static gol_arg const rgola[] =
+  {
+    { .so = 'v', .lo = "verbosity", .i = GOLA_VERBOSITY },
+    { .so = 'K', .lo = "handshake-timeout", .i = GOLA_KIMEOUT },
+    { .so = 'k', .lo = "sni-level", .i = GOLA_SNILEVEL },
+  } ;
+  int p[8] = { [6] = 0, [7] = 1 } ;
   unsigned int verbosity = 1 ;
   unsigned int kimeout = 0 ;
-  unsigned int snilevel = 0 ;
-  uint32_t coptions = 0 ;
-  uint32_t poptions = 1 ;
   pid_t pid ;
-  int p[8] = { [6] = 0, [7] = 1 } ;
+  uint64_t wgolb = 0 ;
+  char const *wgola[GOLA_N] = { 0 } ;
   char const *newargv[S6TLS_PREP_IO_ARGC] ;
   char buf[S6TLS_PREP_IO_BUFLEN] ;
+  unsigned int golc ;
   PROG = "s6-tlsd" ;
+
+  golc = GOL_main(argc, argv, rgolb, rgola, &wgolb, wgola) ;
+  argc -= golc ; argv += golc ;
+  if (!argc) dieusage() ;
+
+  if (wgola[GOLA_VERBOSITY])
+    if (!uint0_scan(wgola[GOLA_VERBOSITY], &verbosity))
+      strerr_dief2x(100, "verbosity", " must be an unsigned integer") ;
+  if (wgola[GOLA_KIMEOUT])
+    if (!uint0_scan(wgola[GOLA_KIMEOUT], &kimeout))
+      strerr_dief2x(100, "handshake-timeout", " must be an unsigned integer") ;
+  if (wgola[GOLA_SNILEVEL])
   {
-    subgetopt l = SUBGETOPT_ZERO ;
-    for (;;)
-    {
-      int opt = subgetopt_r(argc, argv, "SsJjyYv:K:Zzk:", &l) ;
-      if (opt == -1) break ;
-      switch (opt)
-      {
-        case 'S' : coptions |= 4 ; break ;
-        case 's' : coptions &= ~4 ; break ;
-        case 'J' : coptions |= 8 ; break ;
-        case 'j' : coptions &= ~8 ; break ;
-        case 'y' : coptions |= 3 ; break ;
-        case 'Y' : coptions |= 1 ; coptions &= ~2 ; break ;
-        case 'v' : if (!uint0_scan(l.arg, &verbosity)) dieusage() ; break ;
-        case 'K' : if (!uint0_scan(l.arg, &kimeout)) dieusage() ; break ;
-        case 'Z' : poptions &= ~1 ; break ;
-        case 'z' : poptions |= 1 ; break ;
-        case 'k' : if (!uint0_scan(l.arg, &snilevel)) dieusage() ; break ;
-        default : dieusage() ;
-      }
-    }
-    argc -= l.ind ; argv += l.ind ;
+    unsigned int snilevel ;
+    if (!uint0_scan(wgola[GOLA_SNILEVEL], &snilevel))
+      strerr_dief2x(100, "sni-level", " must be an unsigned integer") ;
+    wgolb &= ~(GOLB_SNI | GOLB_SNI_ONLY) ;
+    wgolb |= (snilevel ? GOLB_SNI : 0) | (snilevel >= 2 ? GOLB_SNI_ONLY : 0) ;
   }
-  if (!argc) dieusage() ;
 
   if (pipe(p) == -1 || pipe(p+2) == -1 || pipe(p+4) == -1)
     strerr_diefu1sys(111, "create pipe") ;
-  s6tls_prep_tlsdio(newargv, buf, p, coptions, verbosity, kimeout, snilevel) ;
+  s6tls_prep_tlsdio(newargv, buf, p, wgolb & 0xff, verbosity, kimeout) ;
   pid = s6tls_io_spawn(newargv, p, 0) ;
   if (!pid) strerr_diefu2sys(111, "spawn ", newargv[0]) ;
-  s6tls_sync_and_exec_app(argv, p, pid, poptions) ;
+  s6tls_sync_and_exec_app(argv, p, pid, wgolb >> 8) ;
 }
diff --git a/src/tls/s6-tlsserver.c b/src/tls/s6-tlsserver.c
index b2c3683..0d1526f 100644
--- a/src/tls/s6-tlsserver.c
+++ b/src/tls/s6-tlsserver.c
@@ -17,6 +17,7 @@
 "s6-tlsd options: [ -S | -s ] [ -J | -j ] [ -Y | -y ] [ -K timeout ] [ -Z | -z ] [ -k snilevel ]"
 
 #define dieusage() strerr_dieusage(100, USAGE)
+#define dieint(s) strerr_dief(100, (s), " must be an unsigned integer")
 
 typedef struct options_s options_t, *options_t_ref ;
 struct options_s
@@ -30,7 +31,6 @@ struct options_s
   unsigned int backlog ;
   unsigned int timeout ;
   unsigned int kimeout ;
-  unsigned int snilevel ;
 } ;
 
 #define OPTIONS_ZERO \
@@ -43,7 +43,6 @@ struct options_s
   .backlog = (unsigned int)-1, \
   .timeout = 0, \
   .kimeout = 0, \
-  .snilevel = 0, \
 }
 
 enum golb_e
@@ -64,6 +63,8 @@ enum golb_e
   GOLB_OPTCERT = 0x2000,
   GOLB_MANDCERT = 0x4000,
   GOLB_KEEPENV = 0x8000,
+  GOLB_SNI = 0x10000,
+  GOLB_SNI_ONLY = 0x20000,
 } ;
 
 enum gola_e
@@ -93,25 +94,27 @@ int main (int argc, char const *const *argv)
     { .so = 'v', .lo = "verbose", .clear = GOLB_QUIET, .set = GOLB_VERBOSE },
     { .so = '1', .lo = "notify", .clear = 0, .set = GOLB_NOTIF },
     { .so = 'L', .lo = "proxy", .clear = 0, .set = GOLB_PROXY },
-    { .so = 'U', .lo = "with-envuidgid", .clear = 0, .set = GOLB_UIDGID },
+    { .so = 'U', .lo = "envuidgid", .clear = 0, .set = GOLB_UIDGID },
     { .so = 'W', .lo = "no-strict-resolution", .clear = GOLB_STRICTRES, .set = 0 },
     { .so = 'w', .lo = "strict-resolution", .clear = 0, .set = GOLB_STRICTRES },
-    { .so = 'd', .lo = "enable-nagle", .clear = GOLB_NONAGLE, .set = 0 },
-    { .so = 'D', .lo = "disable-nagle", .clear = 0, .set = GOLB_NONAGLE },
-    { .so = 'H', .lo = "disable-dns-lookups", .clear = 0, .set = GOLB_NOLOOKUPS },
-    { .so = 'h', .lo = "with-etchosts", .clear = 0, .set = GOLB_HOSTS },
-    { .so = 'R', .lo = "disable-ident-lookups", .clear = GOLB_IDENT, .set = 0 },
-    { .so = 'r', .lo = "enable-ident-lookups", .clear = 0, .set = GOLB_IDENT },
-    { .so = 'P', .lo = "disable-paranoid-lookups", .clear = GOLB_PARANOID, .set = 0 },
-    { .so = 'p', .lo = "enable-paranoid-lookups", .clear = 0, .set = GOLB_PARANOID },
-    { .so = 's', .lo = "disable-closenotify", .clear = GOLB_CLOSENOTIFY, .set = 0 },
-    { .so = 'S', .lo = "enable-closenotify", .clear = 0, .set = GOLB_CLOSENOTIFY },
-    { .so = 'j', .lo = "allow-raw-eof", .clear = GOLB_FATALEOF, .set = 0 },
-    { .so = 'J', .lo = "disallow-raw-eof", .clear = 0, .set = GOLB_FATALEOF },
-    { .so = 'Y', .lo = "request-client-certificate", .clear = GOLB_MANDCERT, .set = GOLB_OPTCERT },
-    { .so = 'y', .lo = "demand-client-certificate", .clear = GOLB_OPTCERT, .set = GOLB_MANDCERT },
-    { .so = 'z', .lo = "no-keep-tlsd-environment", .clear = GOLB_KEEPENV, .set = 0 },
-    { .so = 'Z', .lo = "keep-tlsd-environment", .clear = 0, .set = GOLB_KEEPENV },
+    { .so = 'd', .lo = "nagle", .clear = GOLB_NONAGLE, .set = 0 },
+    { .so = 'D', .lo = "no-nagle", .clear = 0, .set = GOLB_NONAGLE },
+    { .so = 0, .lo = "dns", .clear = GOLB_NOLOOKUPS, .set = 0 },
+    { .so = 'H', .lo = "no-dns", .clear = 0, .set = GOLB_NOLOOKUPS },
+    { .so = 0, .lo = "no-hosts", .clear = GOLB_HOSTS, .set = 0 },
+    { .so = 'h', .lo = "hosts", .clear = 0, .set = GOLB_HOSTS },
+    { .so = 'R', .lo = "no-ident", .clear = GOLB_IDENT, .set = 0 },
+    { .so = 'r', .lo = "ident", .clear = 0, .set = GOLB_IDENT },
+    { .so = 'P', .lo = "no-paranoid", .clear = GOLB_PARANOID, .set = 0 },
+    { .so = 'p', .lo = "paranoid", .clear = 0, .set = GOLB_PARANOID },
+    { .so = 's', .lo = "no-close-notify", .clear = GOLB_CLOSENOTIFY, .set = 0 },
+    { .so = 'S', .lo = "close-notify", .clear = 0, .set = GOLB_CLOSENOTIFY },
+    { .so = 'j', .lo = "no-enforce-close-notify", .clear = GOLB_FATALEOF, .set = 0 },
+    { .so = 'J', .lo = "enforce-close-notify", .clear = 0, .set = GOLB_FATALEOF },
+    { .so = 'Y', .lo = "client-cert", .clear = GOLB_MANDCERT, .set = GOLB_OPTCERT },
+    { .so = 'y', .lo = "mandatory-client-cert", .clear = GOLB_OPTCERT, .set = GOLB_MANDCERT },
+    { .so = 'z', .lo = "no-keep", .clear = GOLB_KEEPENV, .set = 0 },
+    { .so = 'Z', .lo = "keep", .clear = 0, .set = GOLB_KEEPENV },
   } ;
   static gol_arg const rgola[] =
   {
@@ -143,17 +146,17 @@ int main (int argc, char const *const *argv)
 
   if (wgola[GOLA_MAXCONN])
   {
-    if (!uint0_scan(wgola[GOLA_MAXCONN], &o.maxconn)) dieusage() ;
+    if (!uint0_scan(wgola[GOLA_MAXCONN], &o.maxconn)) dieint("global-max-connections") ;
     if (!o.maxconn) o.maxconn = 1 ;
   }
   if (wgola[GOLA_LMAXCONN])
   {
-    if (!uint0_scan(wgola[GOLA_LMAXCONN], &o.localmaxconn)) dieusage() ;
+    if (!uint0_scan(wgola[GOLA_LMAXCONN], &o.localmaxconn)) dieint("local-max-connections") ;
     if (!o.localmaxconn) o.localmaxconn = 1 ;
   }
   if (wgola[GOLA_BACKLOG])
   {
-    if (!uint0_scan(wgola[GOLA_BACKLOG], &o.backlog)) dieusage() ;
+    if (!uint0_scan(wgola[GOLA_BACKLOG], &o.backlog)) dieint("backlog") ;
   }
   if (wgola[GOLA_GIDLIST])
   {
@@ -162,25 +165,29 @@ int main (int argc, char const *const *argv)
   }
   if (wgola[GOLA_GID])
   {
-    if (!gid0_scan(wgola[GOLA_GID], &o.gid)) dieusage() ;
+    if (!gid0_scan(wgola[GOLA_GID], &o.gid)) dieint("gid") ;
     doapply = 1 ;
   }
   if (wgola[GOLA_UID])
   {
-    if (!uid0_scan(wgola[GOLA_UID], &o.uid)) dieusage() ;
+    if (!uid0_scan(wgola[GOLA_UID], &o.uid)) dieint("uid") ;
     doapply = 1 ;
   }
   if (wgola[GOLA_TIMEOUT])
   {
-    if (!uint0_scan(wgola[GOLA_TIMEOUT], &o.timeout)) dieusage() ;
+    if (!uint0_scan(wgola[GOLA_TIMEOUT], &o.timeout)) dieint("timeout") ;
   }
   if (wgola[GOLA_KIMEOUT])
   {
-    if (!uint0_scan(wgola[GOLA_KIMEOUT], &o.kimeout)) dieusage() ;
+    if (!uint0_scan(wgola[GOLA_KIMEOUT], &o.kimeout)) dieint("handshake-timeout") ;
   }
   if (wgola[GOLA_SNILEVEL])
   {
-    if (!uint0_scan(wgola[GOLA_SNILEVEL], &o.snilevel)) dieusage() ;
+    unsigned int snilevel ;
+    if (!uint0_scan(wgola[GOLA_SNILEVEL], &snilevel))
+      strerr_dief2x(100, "snilevel", " must be an unsigned integer") ;
+    wgolb &= ~(GOLB_SNI | GOLB_SNI_ONLY) ;
+    wgolb |= (snilevel ? GOLB_SNI : 0) | (snilevel >= 2 ? GOLB_SNI_ONLY : 0) ;
   }
   if (wgolb & GOLB_UIDGID)
   {
@@ -197,11 +204,12 @@ int main (int argc, char const *const *argv)
      || !!(wgolb & (GOLB_STRICTRES | GOLB_NONAGLE | GOLB_IDENT | GOLB_PARANOID))
      || !!wgola[GOLA_LOCALNAME] || !!wgola[GOLA_BANNER] || !!wgola[GOLA_RULESDIR] || !!wgola[GOLA_RULESFILE]
      || !!o.timeout ;
-    char fmt[UINT_FMT * 5 + UID_FMT + GID_FMT * (NGROUPS_MAX + 1)] ;
-    char const *newargv[54 + argc] ;
+    char const *newargv[55 + argc] ;
+    char fmt[UINT_FMT * 5 + UID_FMT + GID_FMT + (o.gidn == (size_t)-1 ? 0 : o.gidn * GID_FMT)] ;
 
     newargv[m++] = S6_NETWORKING_BINPREFIX "s6-tcpserver" ;
-    if (wgolb & GOLB_QUIET) newargv[m++] = "-q" ; else if (wgolb & GOLB_VERBOSE) newargv[m++] = "-v" ;
+    if (wgolb & GOLB_QUIET) newargv[m++] = "-q" ;
+    else if (wgolb & GOLB_VERBOSE) newargv[m++] = "-v" ;
     if (wgolb & GOLB_NOTIF) newargv[m++] = "-1" ;
     if (o.maxconn)
     {
@@ -230,7 +238,8 @@ int main (int argc, char const *const *argv)
     if (doaccess)
     {
       newargv[m++] = S6_NETWORKING_BINPREFIX "s6-tcpserver-access" ;
-      if (wgolb & GOLB_QUIET) newargv[m++] = "-v0" ; else if (wgolb & GOLB_VERBOSE) newargv[m++] = "-v2" ;
+      if (wgolb & GOLB_QUIET) newargv[m++] = "-v0" ;
+      else if (wgolb & GOLB_VERBOSE) newargv[m++] = "-v2" ;
       if (wgolb & GOLB_STRICTRES) newargv[m++] = "-w" ;
       if (wgolb & GOLB_NONAGLE) newargv[m++] = "-D" ;
       if (wgolb & GOLB_NOLOOKUPS) newargv[m++] = "-H" ;
@@ -273,7 +282,8 @@ int main (int argc, char const *const *argv)
       newargv[m++] = "--" ;
     }
     newargv[m++] = S6_NETWORKING_BINPREFIX "s6-tlsd" ;
-    if (wgolb & GOLB_QUIET) newargv[m++] = "-v0" ; else if (wgolb & GOLB_VERBOSE) newargv[m++] = "-v2" ;
+    if (wgolb & GOLB_QUIET) newargv[m++] = "-v0" ;
+    else if (wgolb & GOLB_VERBOSE) newargv[m++] = "-v2" ;
     if (wgolb & GOLB_CLOSENOTIFY) newargv[m++] = "-S" ;
     if (wgolb & GOLB_FATALEOF) newargv[m++] = "-J" ;
     if (wgolb & GOLB_MANDCERT) newargv[m++] = "-y" ;
@@ -286,8 +296,7 @@ int main (int argc, char const *const *argv)
       fmt[pos++] = 0 ;
     }
     if (wgolb & GOLB_KEEPENV) newargv[m++] = "-Z" ;
-    if (o.snilevel >= 2) newargv[m++] = "-k2" ;
-    else if (o.snilevel) newargv[m++] = "-k1" ;
+    if (wgolb & GOLB_SNI) newargv[m++] = wgolb & GOLB_SNI_ONLY ? "--mandatory-sni" : "--sni" ;
     newargv[m++] = "--" ;
     if (doapply)
     {
diff --git a/src/tls/s6-ucspitlsc.c b/src/tls/s6-ucspitlsc.c
index 60f76de..fec2513 100644
--- a/src/tls/s6-ucspitlsc.c
+++ b/src/tls/s6-ucspitlsc.c
@@ -101,7 +101,7 @@ int main (int argc, char const *const *argv, char const *const *envp)
   static gol_arg const rgola[] =
   {
     { .so = 'v', .lo = "verbosity", .i = GOLA_VERBOSITY },
-    { .so = 'K', .lo = "kimeout", .i = GOLA_KIMEOUT },
+    { .so = 'K', .lo = "handshake-timeout", .i = GOLA_KIMEOUT },
     { .so = 'k', .lo = "servername", .i = GOLA_SERVERNAME },
     { .so = '6', .lo = "read-fd", .i = GOLA_RFD },
     { .so = '7', .lo = "write-fd", .i = GOLA_WFD },
@@ -125,7 +125,7 @@ int main (int argc, char const *const *argv, char const *const *envp)
       strerr_dief2x(100, "verbosity", " must be an unsigned integer") ;
   if (wgola[GOLA_KIMEOUT])
     if (!uint0_scan(wgola[GOLA_KIMEOUT], &kimeout))
-      strerr_dief2x(100, "kimeout", " must be an unsigned integer") ;
+      strerr_dief2x(100, "handshake-timeout", " must be an unsigned integer") ;
   if (wgola[GOLA_RFD])
   {
     unsigned int fd ;
diff --git a/src/tls/s6-ucspitlsd.c b/src/tls/s6-ucspitlsd.c
index d2b9580..d94e815 100644
--- a/src/tls/s6-ucspitlsd.c
+++ b/src/tls/s6-ucspitlsd.c
@@ -4,12 +4,11 @@
 #include <unistd.h>
 
 #include <skalibs/gccattributes.h>
+#include <skalibs/uint64.h>
 #include <skalibs/types.h>
-#include <skalibs/sgetopt.h>
-#include <skalibs/strerr.h>
+#include <skalibs/envexec.h>
 #include <skalibs/djbunix.h>
 #include <skalibs/socket.h>
-#include <skalibs/exec.h>
 
 #include <s6-networking/config.h>
 #include "s6tls-internal.h"
@@ -17,8 +16,27 @@
 #define USAGE "s6-ucspitlsd [ -S | -s ] [ -J | -j ] [ -Y | -y ] [ -k snilevel ] [ -v verbosity ] [ -K timeout ] [ -Z | -z ] prog..."
 #define dieusage() strerr_dieusage(100, USAGE)
 
-static inline void child (int *, uint32_t, unsigned int, unsigned int, unsigned int, pid_t) gccattr_noreturn ;
-static inline void child (int *p, uint32_t options, unsigned int verbosity, unsigned int kimeout, unsigned int snilevel, pid_t pid)
+enum golb_e
+{
+  GOLB_CLOSENOTIFY = 0x0001,
+  GOLB_STRICTCN = 0x0002,
+  GOLB_CLIENTCERT = 0x0004,
+  GOLB_CLIENTCERT_ONLY = 0x0008,
+  GOLB_SNI = 0x0010,
+  GOLB_SNI_ONLY = 0x0020,
+  GOLB_KEEP = 0x100,
+} ;
+
+enum gola_e
+{
+  GOLA_VERBOSITY,
+  GOLA_KIMEOUT,
+  GOLA_SNILEVEL,
+  GOLA_N
+} ;
+
+static inline void child (int *, uint32_t, unsigned int, unsigned int, pid_t) gccattr_noreturn ;
+static inline void child (int *p, uint32_t options, unsigned int verbosity, unsigned int kimeout, pid_t pid)
 {
   ssize_t r ;
   char const *newargv[S6TLS_PREP_IO_ARGC] ;
@@ -52,7 +70,7 @@ static inline void child (int *p, uint32_t options, unsigned int verbosity, unsi
     default :
       strerr_dief1x(100, "unrecognized command on control socket") ;
   }
-  s6tls_prep_tlsdio(newargv, buf, p, options, verbosity, kimeout, snilevel) ;
+  s6tls_prep_tlsdio(newargv, buf, p, options, verbosity, kimeout) ;
   if (verbosity >= 2)
   {
     char fmt[PID_FMT] ;
@@ -64,40 +82,52 @@ static inline void child (int *p, uint32_t options, unsigned int verbosity, unsi
 
 int main (int argc, char const *const *argv)
 {
+  static gol_bool const rgolb[] =
+  {
+    { .so = 's', .lo = "no-close-notify", .clear = GOLB_CLOSENOTIFY, .set = 0 },
+    { .so = 'S', .lo = "close-notify", .clear = 0, .set = GOLB_CLOSENOTIFY },
+    { .so = 'j', .lo = "no-enforce-close-notify", .clear = GOLB_STRICTCN, .set = 0 },
+    { .so = 'J', .lo = "enforce-close-notify", .clear = 0, .set = GOLB_STRICTCN },
+    { .so = 'Y', .lo = "client-cert", .clear = GOLB_CLIENTCERT_ONLY, .set = GOLB_CLIENTCERT },
+    { .so = 'y', .lo = "mandatory-client-cert", .clear = 0, .set = GOLB_CLIENTCERT | GOLB_CLIENTCERT_ONLY },
+    { .so = 'z', .lo = "no-keep", .clear = GOLB_KEEP, .set = 0 },
+    { .so = 'Z', .lo = "keep", .clear = 0, .set = GOLB_KEEP },
+    { .so = 0, .lo = "sni", .clear = GOLB_SNI_ONLY, .set = GOLB_SNI },
+    { .so = 0, .lo = "mandatory-sni", .clear = 0, .set = GOLB_SNI | GOLB_SNI_ONLY },
+  } ;
+  static gol_arg const rgola[] =
+  {
+    { .so = 'v', .lo = "verbosity", .i = GOLA_VERBOSITY },
+    { .so = 'K', .lo = "handshake-timeout", .i = GOLA_KIMEOUT },
+    { .so = 'k', .lo = "sni-level", .i = GOLA_SNILEVEL },
+  } ;
+  int p[6] ;
   unsigned int verbosity = 1 ;
   unsigned int kimeout = 0 ;
-  unsigned int snilevel = 0 ;
-  uint32_t coptions = 0 ;
-  uint32_t poptions = 1 ;
-  int p[6] ;
   pid_t pid ;
-
+  uint64_t wgolb = 0 ;
+  char const *wgola[GOLA_N] = { 0 } ;
+  unsigned int golc ;
   PROG = "s6-ucspitlsd (parent)" ;
+
+  golc = GOL_main(argc, argv, rgolb, rgola, &wgolb, wgola) ;
+  argc -= golc ; argv += golc ;
+  if (!argc) dieusage() ;
+
+  if (wgola[GOLA_VERBOSITY])
+    if (!uint0_scan(wgola[GOLA_VERBOSITY], &verbosity))
+      strerr_dief2x(100, "verbosity", " must be an unsigned integer") ;
+  if (wgola[GOLA_KIMEOUT])
+    if (!uint0_scan(wgola[GOLA_KIMEOUT], &kimeout))
+      strerr_dief2x(100, "handshake-timeout", " must be an unsigned integer") ;
+  if (wgola[GOLA_SNILEVEL])
   {
-    subgetopt l = SUBGETOPT_ZERO ;
-    for (;;)
-    {
-      int opt = subgetopt_r(argc, argv, "SsJjyYv:K:Zzk:", &l) ;
-      if (opt == -1) break ;
-      switch (opt)
-      {
-        case 'S' : coptions |= 4 ; break ;
-        case 's' : coptions &= ~4 ; break ;
-        case 'J' : coptions |= 8 ; break ;
-        case 'j' : coptions &= ~8 ; break ;
-        case 'y' : coptions |= 3 ; break ;
-        case 'Y' : coptions |= 1 ; coptions &= ~2 ; break ;
-        case 'v' : if (!uint0_scan(l.arg, &verbosity)) dieusage() ; break ;
-        case 'K' : if (!uint0_scan(l.arg, &kimeout)) dieusage() ; break ;
-        case 'Z' : poptions &= ~1 ; break ;
-        case 'z' : poptions |= 1 ; break ;
-        case 'k' : if (!uint0_scan(l.arg, &snilevel)) dieusage() ; break ;
-        default : dieusage() ;
-      }
-    }
-    argc -= l.ind ; argv += l.ind ;
+    unsigned int snilevel ;
+    if (!uint0_scan(wgola[GOLA_SNILEVEL], &snilevel))
+      strerr_dief2x(100, "sni-level", " must be an unsigned integer") ;
+    wgolb &= ~(GOLB_SNI | GOLB_SNI_ONLY) ;
+    wgolb |= (snilevel ? GOLB_SNI : 0) | (snilevel >= 2 ? GOLB_SNI_ONLY : 0) ;
   }
-  if (!argc) dieusage() ;
 
   if (pipe(p) == -1 || pipe(p+2) == -1) strerr_diefu1sys(111, "pipe") ;
   if (ipc_pair_b(p+4) == -1) strerr_diefu1sys(111, "ipc_pair") ;
@@ -106,8 +136,8 @@ int main (int argc, char const *const *argv)
   switch (fork())
   {
     case -1 : strerr_diefu1sys(111, "fork") ;
-    case 0 : child(p, coptions, verbosity, kimeout, snilevel, pid) ;
+    case 0 : child(p, wgolb & 0xff, verbosity, kimeout, pid) ;
     default : break ;
   }
-  s6tls_ucspi_exec_app(argv, p, poptions) ;
+  s6tls_ucspi_exec_app(argv, p, wgolb >> 8) ;
 }
diff --git a/src/tls/s6tls-internal.h b/src/tls/s6tls-internal.h
index 1ab77f6..87b781b 100644
--- a/src/tls/s6tls-internal.h
+++ b/src/tls/s6tls-internal.h
@@ -9,12 +9,12 @@
 #include <skalibs/gccattributes.h>
 #include <skalibs/types.h>
 
-#define S6TLS_PREP_IO_ARGC 16
+#define S6TLS_PREP_IO_ARGC 15
 #define S6TLS_PREP_IO_BUFLEN (5 * UINT_FMT)
 
 extern pid_t s6tls_io_spawn (char const *const *argv, int const *, int) ;
 extern void s6tls_prep_tlscio (char const **, char *, int const *, uint32_t, unsigned int, unsigned int, char const *) ;
-extern void s6tls_prep_tlsdio (char const **, char *, int const *, uint32_t, unsigned int, unsigned int, unsigned int) ;
+extern void s6tls_prep_tlsdio (char const **, char *, int const *, uint32_t, unsigned int, unsigned int) ;
 extern void s6tls_sync_and_exec_app (char const *const *, int const *, pid_t, uint32_t) gccattr_noreturn ;
 extern void s6tls_ucspi_exec_app (char const *const *, int const *, uint32_t) gccattr_noreturn ;
 extern void s6tls_clean_and_exec (char const *const *, uint32_t, char const *, size_t) gccattr_noreturn ;
diff --git a/src/tls/s6tls_prep_tlsdio.c b/src/tls/s6tls_prep_tlsdio.c
index 8408010..b459bc1 100644
--- a/src/tls/s6tls_prep_tlsdio.c
+++ b/src/tls/s6tls_prep_tlsdio.c
@@ -5,7 +5,7 @@
 #include <s6-networking/config.h>
 #include "s6tls-internal.h"
 
-void s6tls_prep_tlsdio (char const **argv, char *buf, int const *p, uint32_t options, unsigned int verbosity, unsigned int kimeout, unsigned int snilevel)
+void s6tls_prep_tlsdio (char const **argv, char *buf, int const *p, uint32_t options, unsigned int verbosity, unsigned int kimeout)
 {
   size_t m = 0 ;
   size_t n = 0 ;
@@ -25,10 +25,10 @@ void s6tls_prep_tlsdio (char const **argv, char *buf, int const *p, uint32_t opt
     n += uint_fmt(buf + n, p[5]) ;
     buf[n++] = 0 ;
   }
-  if (options & 4) argv[m++] = "-S" ;
-  if (options & 8) argv[m++] = "-J" ;
-  if (options & 1)
-    argv[m++] = options & 2 ? "-y" : "-Y" ;
+  if (options & 0x01) argv[m++] = "-S" ;
+  if (options & 0x02) argv[m++] = "-J" ;
+  if (options & 0x04)
+    argv[m++] = options & 0x08 ? "-y" : "-Y" ;
   if (kimeout)
   {
     argv[m++] = "-K" ;
@@ -36,13 +36,8 @@ void s6tls_prep_tlsdio (char const **argv, char *buf, int const *p, uint32_t opt
     n += uint_fmt(buf + n, kimeout) ;
     buf[n++] = 0 ;
   }
-  if (snilevel)
-  {
-    argv[m++] = "-k" ;
-    argv[m++] = buf + n ;
-    n += uint_fmt(buf + n, snilevel) ;
-    buf[n++] = 0 ;
-  }
+  if (options & 0x20) argv[m++] = "--mandatory-sni" ;
+  else if (options & 0x10) argv[m++] = "--sni" ;
   argv[m++] = "--" ;
   argv[m++] = buf + n ;
   n += uint_fmt(buf + n, p[0]) ;
author	Laurent Bercot <ska-skaware@skarnet.org>	2026-04-18 12:52:34 +0000
committer	Laurent Bercot <ska-skaware@skarnet.org>	2026-04-18 12:52:34 +0000
commit	49a26b0671b3fbe932a0a26e9414cce6e8ef3ec2 (patch)
tree	d1a158e29649a319da157491a40f9cfdef329183
parent	94f7c378aa7e5f261a3c9e80bfd8a12a264e7ec6 (diff)
download	s6-networking-49a26b0671b3fbe932a0a26e9414cce6e8ef3ec2.tar.gz