The -Y flag was being treated as if it means the default of not asking for a client cert.
Thanks! Applied with a slightly different style. I should really have used a different name for the optional client certificate. As is, -Y/-y is asymmetrical between s6-tlsc and s6-tlsd, and that's ugly (and the reason for the bug, because I copied the template for s6-tlsserver from s6-tlsclient and failed to fix the -Y discrepancy). And yes, you may well be the first to use it. It's uncommon that a server requires a client certificate - generally only people with a serious PKI setup bother with this, which means big orgs, and those haven't switched to s6-tlsserver yet. ;) -- Laurent
