From 02afa553cc33400ead38ac85f8f7f2f3fe79f49d Mon Sep 17 00:00:00 2001 From: Laurent Bercot Date: Fri, 28 May 2021 01:05:56 +0000 Subject: Server-side SNI, libtls version Implementation for bearssl coming soon. --- doc/s6-tlsc.html | 7 +++++++ doc/s6-tlsd-io.html | 28 ++++++++++++++++++++++++++-- doc/s6-tlsd.html | 33 +++++++++++++++++++++++++++++---- doc/s6-tlsserver.html | 1 + doc/s6-ucspitlsd.html | 26 ++++++++++++++++++++++---- 5 files changed, 85 insertions(+), 10 deletions(-) (limited to 'doc') diff --git a/doc/s6-tlsc.html b/doc/s6-tlsc.html index b83ae57..95cc44f 100644 --- a/doc/s6-tlsc.html +++ b/doc/s6-tlsc.html @@ -98,6 +98,13 @@ used.
  • SSL_TLS_SNI_SERVERNAME contains servername, if the -k option has been given; otherwise it is removed from the environment.
  • +
  • SSL_PEER_CERT_HASH contains the hash of the peer's +End Entity certificate, prefixed by the name of the hash and a colon +(typically SHA256:).
  • +
  • SSL_PEER_CERT_SUBJECT contains the decoded subjectDN +of the peer's End Entity certificate, i.e. identifying information. +What is traditionally called the "name" of the certificate is the +CN field in that data.
  • More similar environment variables containing information about the connection may be added in the future.
  • diff --git a/doc/s6-tlsd-io.html b/doc/s6-tlsd-io.html index 29f75c3..b2a4a1e 100644 --- a/doc/s6-tlsd-io.html +++ b/doc/s6-tlsd-io.html @@ -38,7 +38,7 @@ the options given when configuring s6-networking.

    Interface

    -     s6-tlsd-io [ -S | -s ] [ -Y | -y ] [ -v verbosity ] [ -K kimeout ] [ -d notif ] [ -- ] fdr fdw
    +     s6-tlsd-io [ -S | -s ] [ -Y | -y ] [ -v verbosity ] [ -K kimeout ] [ -k snilevel ] [ -d notif ] [ -- ] fdr fdw
     
    @@ -117,6 +117,17 @@ of certificates. will refuse to run.

    +

    + Alternatively, if snilevel is nonzero, the private +key for the server named x should be held in a file +whose name is contained in the KEYFILE:x +environment variable, and the corresponding certificate chain +file should be named in the CERTFILE:x +environment variable. If snilevel is 2 or more, the +KEYFILE and CERTFILE variables will be +entirely ignored. +

    +

    If you are using client certificates, s6-tlsd-io also requires either one of the following variables to be set: @@ -196,6 +207,19 @@ is not to require a client certificate at all. to send data for kimeout milliseconds during the handshake, close the connection. The default is 0, which means infinite timeout (never kill the connection). +

  • -k snilevel : support alternative +certificate chains for SNI. If snilevel is nonzero, private +key file names are read from every environment variable of the form +KEYFILE:x, where x is a server name that +the client may require, and a corresponding certificate chain for the name +x should exist in the file named after the contents of the +CERTFILE:x environment variable. If snilevel +is 2 or more, only those files are read, and the generic +KEYFILE and CERTFILE variables are ignored. +If snilevel is 0, or if the option is not given, which is the +default, KEYFILE and CERTFILE are the only private +key / certificate chain pair that are loaded, no other environment +variable is read for keypairs.
  • -d notif : handshake notification. notif must be a file descriptor open for writing. When the TLS handshake has completed, some data (terminated by two null diff --git a/doc/s6-tlsd.html b/doc/s6-tlsd.html index 6b0228f..c1c6a59 100644 --- a/doc/s6-tlsd.html +++ b/doc/s6-tlsd.html @@ -38,7 +38,7 @@ the options given when configuring s6-networking.

    Interface

    -     s6-tlsd [ -S | -s ] [ -Y | -y ] [ -Z | -z ] [ -v verbosity ] [ -K kimeout ] [ -- ] prog...
    +     s6-tlsd [ -S | -s ] [ -Y | -y ] [ -Z | -z ] [ -v verbosity ] [ -K kimeout ] [ -k snilevel ] [ -- ] prog...
     
    @@ -136,6 +148,19 @@ is not to require a client certificate at all.
  • to send data for kimeout milliseconds during the handshake, close the connection. The default is 0, which means infinite timeout (never kill the connection). +
  • -k snilevel : support alternative +certificate chains for SNI. If snilevel is nonzero, private +key file names are read from every environment variable of the form +KEYFILE:x, where x is a server name that +the client may require, and a corresponding certificate chain for the name +x should exist in the file named after the contents of the +CERTFILE:x environment variable. If snilevel +is 2 or more, only those files are read, and the generic +KEYFILE and CERTFILE variables are ignored. +If snilevel is 0, or if the option is not given, which is the +default, KEYFILE and CERTFILE are the only private +key / certificate chain pair that are loaded, no other environment +variable is read for keypairs.
  • Notes

    diff --git a/doc/s6-tlsserver.html b/doc/s6-tlsserver.html index 12de659..2ec3327 100644 --- a/doc/s6-tlsserver.html +++ b/doc/s6-tlsserver.html @@ -194,6 +194,7 @@ given but no -i or -x option.
  • -S, -s
  • -Y, -y
  • -K kimeout
  • +
  • -k snilevel
  • Options passed to s6-applyuidgid

    diff --git a/doc/s6-ucspitlsd.html b/doc/s6-ucspitlsd.html index 7d7ef9b..be172c0 100644 --- a/doc/s6-ucspitlsd.html +++ b/doc/s6-ucspitlsd.html @@ -36,7 +36,7 @@ TLS stack in the server itself.

    Interface

    -     s6-ucspitlsd [ -S | -s ] [ -Y | -y ] [ -Z | -z ] [ -v verbosity ] [ -K kimeout ] [ -- ] prog...
    +     s6-ucspitlsd [ -S | -s ] [ -Y | -y ] [ -Z | -z ] [ -v verbosity ] [ -K kimeout ] [ -k snilevel ] [ -- ] prog...
     

    Notes

    -- cgit v1.3.1