tls: Remove the individual TLS configuration options

This is a breaking change.

TLS configuration changes are to be made using TLS configuration
objects, and then set on a listener or dialer with NNG_OPT_TLS_CONFIG.
This should be a bit less racy, and allows for simpler code.

4 files changed, 7 insertions, 52 deletions

diff --git a/docs/man/nng_tls.7.adoc b/docs/man/nng_tls.7.adoc
index 0da590ac..73a63a9f 100644
--- a/docs/man/nng_tls.7.adoc
+++ b/docs/man/nng_tls.7.adoc
@@ -107,9 +107,6 @@ Note that setting these must be done before the transport is started.
 * xref:nng_options.5.adoc#NNG_OPT_REMADDR[`NNG_OPT_REMADDR`]
 * xref:nng_tcp_options.5.adoc#NNG_OPT_TCP_KEEPALIVE[`NNG_OPT_TCP_KEEPALIVE`]
 * xref:nng_tcp_options.5.adoc#NNG_OPT_TCP_NODELAY[`NNG_OPT_TCP_NODELAY`]
-* xref:nng_tls_options.5.adoc#NNG_OPT_TLS_AUTH_MODE[`NNG_OPT_TLS_AUTH_MODE`]
-* xref:nng_tls_options.5.adoc#NNG_OPT_TLS_CA_FILE[`NNG_OPT_TLS_CA_FILE`]
-* xref:nng_tls_options.5.adoc#NNG_OPT_TLS_CERT_KEY_FILE[`NNG_OPT_TLS_CERT_KEY_FILE`]
 * xref:nng_tls_options.5.adoc#NNG_OPT_TLS_CONFIG[`NNG_OPT_TLS_CONFIG`]
 * xref:nng_tls_options.5.adoc#NNG_OPT_TLS_VERIFIED[`NNG_OPT_TLS_VERIFIED_`]
 * xref:nng_tls_options.5.adoc#NNG_OPT_TLS_PEER_CN[`NNG_OPT_TLS_PEER_CN`]
diff --git a/docs/man/nng_tls_options.5.adoc b/docs/man/nng_tls_options.5.adoc
index a06a600f..cf2a99cf 100644
--- a/docs/man/nng_tls_options.5.adoc
+++ b/docs/man/nng_tls_options.5.adoc
@@ -20,11 +20,7 @@ nng_tls_options - TLS-specific options
 ----
 #include <nng/nng.h>
 
-#define NNG_OPT_TLS_AUTH_MODE      "tls-authmode"
-#define NNG_OPT_TLS_CA_FILE        "tls-ca-file"
-#define NNG_OPT_TLS_CERT_KEY_FILE  "tls-cert-key-file"
 #define NNG_OPT_TLS_CONFIG         "tls-config"
-#define NNG_OPT_TLS_SERVER_NAME    "tls-server-name"
 #define NNG_OPT_TLS_VERIFIED       "tls-verified"
 #define NNG_OPT_TLS_PEER_CN        "tls-peer-cn"
 #define NNG_OPT_TLS_PEER_ALT_NAMES "tls-peer-alt-names"
@@ -47,25 +43,6 @@ description of the option.
 
 === TLS Options
 
-[[NNG_OPT_TLS_AUTH_MODE]]((`NNG_OPT_TLS_AUTH_MODE`))::
-(`int`)
-Write-only option used to configure the authentication mode used.
-See xref:nng_tls_config_auth_mode.3tls.adoc[`nng_tls_config_auth_mode()`] for
-more details.
-
-[[NNG_OPT_TLS_CA_FILE]]((`NNG_OPT_TLS_CA_FILE`))::
-(string) Write-only option naming a file containing certificates to
-use for peer validation.
-See xref:nng_tls_config_ca_file.3tls.adoc[`nng_tls_config_ca_file()`] for more
-information.
-
-[[NNG_OPT_TLS_CERT_KEY_FILE]]((`NNG_OPT_TLS_CERT_KEY_FILE`))::
-(string) Write-only option naming a file containing the local certificate and
-associated private key.
-The private key used must be unencrypted.
-See xref:nng_tls_config_own_cert.3tls.adoc[`nng_tls_config_own_cert()`] for more
-information.
-
 [[NNG_OPT_TLS_CONFIG]]((`NNG_OPT_TLS_CONFIG`))::
 (`nng_tls_config *`)
 This option references the underlying
@@ -79,14 +56,6 @@ longer needs the TLS configuration object.
 +
 TIP: Use this option when more advanced TLS configuration is required.
 
-[[NNG_OPT_TLS_SERVER_NAME]]((`NNG_OPT_TLS_SERVER_NAME`))::
-(string)
-This write-only option is used to specify the name of the server.
-When used with a dialer, this potentially configures SNI (server name
-indication, which is used as a hint by a multihosting server to choose the
-appropriate certificate to provide) and also is used to validate the
-name presented in the server's x509 certificate.
-
 [[NNG_OPT_TLS_VERIFIED]]((`NNG_OPT_TLS_VERIFIED`))::
 (`bool`)
 This read-only option indicates whether the remote peer has been properly verified using TLS
diff --git a/docs/man/nng_ws.7.adoc b/docs/man/nng_ws.7.adoc
index b63041ad..07c6cd14 100644
--- a/docs/man/nng_ws.7.adoc
+++ b/docs/man/nng_ws.7.adoc
@@ -157,24 +157,6 @@ longer needs the TLS configuration.
 
 TIP: Use this option when advanced TLS configuration is required.
 
-((`NNG_OPT_TLS_CA_FILE`))::
-(string) Write-only option naming a file containing certificates to
-use for peer validation.
-See xref:nng_tls_config_ca_file.3tls.adoc[`nng_tls_config_ca_file()`] for more
-information.
-
-((`NNG_OPT_TLS_CERT_KEY_FILE`))::
-(string) Write-only option naming a file containing the local certificate and
-associated private key.
-The private key used must be unencrypted.
-See xref:nng_tls_config_own_cert.3tls.adoc[`nng_tls_config_own_cert()`] for more
-information.
-
-((`NNG_OPT_TLS_AUTH_MODE`))::
-(`int`) Write-only option used to configure the authentication mode used.
-See xref:nng_tls_config_auth_mode.3tls.adoc[`nng_tls_config_auth_mode()`] for
-more details.
-
 `NNG_OPT_TLS_VERIFIED`::
 (`bool`) Whether the remote peer has been properly verified using TLS
 authentication.
diff --git a/docs/ref/migrate/nng1.md b/docs/ref/migrate/nng1.md
index f9fe641f..35224bb8 100644
--- a/docs/ref/migrate/nng1.md
+++ b/docs/ref/migrate/nng1.md
@@ -33,6 +33,13 @@ The `NNG_OPT_WSS_REQUEST_HEADERS` and `NNG_OPT_WSS_RESPONSE_HEADERS` aliases for
 Just convert any use of them to `NNG_OPT_WS_REQUEST_HEADERS` or
 `NNG_OPT_WS_RESPONSE_HEADERS` as appropriate.
 
+## TLS Options
+
+The support for configuring TLS via `NNG_TLS_AUTH_MODE`, `NNG_OPT_TLS_CA_FILE`, `NNG_OPT_TLS_SERVER_NAME`,
+and similar has been removed. Instead configuration must be performed by allocating
+a `nng_tls_config` object, and then setting fields on it using the appropriate functions,
+after which it may be configured on a listener or dialer using the `NNG_OPT_TLS_CONFIG` option.
+
 ## Option Functions
 
 The previously deprecated `nng_pipe_getopt_xxx` family of functions is removed.