Note: I'm running the current stable releases of skalibs and s6-*. It's all statically linked, against musl, if that might be relevant.
To give an example minimal usage, running $(which export) CERTFILE /etc/letsencrypt/live/$REDACTED/fullchain.pem \ $(which export) KEYFILE /etc/letsencrypt/live/$REDACTED/privkey.pem \ s6-tlsserver -v -- 0.0.0.0 443 exit 0 on the server, and CADIR=/etc/ssl/certs s6-tlsclient $REDACTED 443 s6-ioconnect on the client, the client reports > s6-tlsc: fatal: unable to perform SSL handshake: handshake failed: unexpected EOF and the server reports > s6-tcpserver4d: info: starting > s6-tcpserver4d: info: status: 0/40! > s6-tcpserver4d: info: allow [redacted]:42623 pid 29407 count 1/40 > s6-tcpserver4d: info: status: 1/40 > s6-tcpserver4d: info: end pid 29407 ip [redacted] signal 11 > s6-tcpserver4d: info: status: 0/40 Far as I can tell this is undocumented behavior (hell, exiting 11 isn't even in the s6-tlsd source!), so I believe I have run into a Mysterious Bug. (Of course, there is always that distinct possibility I just, don't know what I'm doing...) If providing sysdeps might be useful: clockrt: yes clockmon: yes clockboot: yes posixspawn: yes timer: yes endianness: little sizeofushort: 2 sizeofuint: 4 sizeofulong: 8 signedsize: no sizeofsize: 8 signeduid: no sizeofuid: 4 signedgid: no sizeofgid: 4 signedpid: yes sizeofpid: 4 signedtime: yes sizeoftime: 8 signeddev: no sizeofdev: 8 signedino: no sizeofino: 8 accept4: yes cmsgcloexec: yes dirfd: yes eventfd: yes flock: yes getrandom: yes getpeereid: no sopeercred: yes getpeerucred: no ipv6: yes msgdontwait: yes odirectory: yes openat: yes linkat: yes memmem: yes pipe2: yes ppoll: yes revoke: no sendfile: yes setgroups: yes settimeofday: yes signalfd: yes splice: yes strcasestr: yes strnlen: yes uint64t: yes futimens: yes futimes: yes arc4random: no arc4random_addrandom: no itimer: yes namespaces: yes nsgetparent: yes explicit_bzero: yes devurandom: yes
