--- a/core/certmanager.lua	Wed Nov 23 17:27:44 2016 +0100
+++ b/core/certmanager.lua	Sat Nov 26 20:11:03 2016 +0100
@@ -184,9 +184,12 @@
 		err = err or "invalid ssl config"
 		local file = err:match("^error loading (.-) %(");
 		if file then
+			local typ;
 			if file == "private key" then
+				typ = file;
 				file = user_ssl_config.key or "your private key";
 			elseif file == "certificate" then
+				typ = file;
 				file = user_ssl_config.certificate or "your certificate file";
 			end
 			local reason = err:match("%((.+)%)$") or "some reason";
@@ -196,6 +199,8 @@
 				reason = "Check that the path is correct, and the file exists.";
 			elseif reason == "system lib" then
 				reason = "Previous error (see logs), or other system error.";
+			elseif reason == "no start line" then
+				reason = "Check that the file contains a "..(typ or file);
 			elseif reason == "(null)" or not reason then
 				reason = "Check that the file exists and the permissions are correct";
 			else

--- a/core/stanza_router.lua	Wed Nov 23 17:27:44 2016 +0100
+++ b/core/stanza_router.lua	Sat Nov 26 20:11:03 2016 +0100
@@ -67,8 +67,14 @@
 			return handle_unhandled_stanza(origin.host, origin, stanza);
 		end
 		if name == "iq" then
-			if not iq_types[st_type] or ((st_type == "set" or st_type == "get") and (#stanza.tags ~= 1)) then
-				origin.send(st.error_reply(stanza, "modify", "bad-request", "Invalid IQ type or incorrect number of children"));
+			if not iq_types[st_type] then
+				origin.send(st.error_reply(stanza, "modify", "bad-request", "Invalid IQ type"));
+				return;
+			elseif not stanza.attr.id then
+				origin.send(st.error_reply(stanza, "modify", "bad-request", "Missing required 'id' attribute"));
+				return;
+			elseif (st_type == "set" or st_type == "get") and (#stanza.tags ~= 1) then
+				origin.send(st.error_reply(stanza, "modify", "bad-request", "Incorrect number of children for IQ stanz"));
 				return;
 			end
 		end

--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/doc/storage.tld	Sat Nov 26 20:11:03 2016 +0100
@@ -0,0 +1,61 @@
+-- Storage Interface API Description
+--
+-- This is written as a TypedLua description
+
+-- Key-Value stores (the default)
+
+interface keyval_store
+	get : ( self, string? ) -> (any) | (nil, string)
+	set : ( self, string?, any ) -> (boolean) | (nil, string)
+end
+
+-- Map stores (key-key-value stores)
+
+interface map_store
+	get : ( self, string?, any ) -> (any) | (nil, string)
+	set : ( self, string?, any, any ) -> (boolean) | (nil, string)
+	set_keys : ( self, string?, { any : any }) -> (boolean) | (nil, string)
+	remove : {}
+end
+
+-- Archive stores
+
+typealias archive_query = {
+	"start"  : number?, -- timestamp
+	"end"    : number?, -- timestamp
+	"with"   : string?,
+	"after"  : string?, -- archive id
+	"before" : string?, -- archive id
+	"total"  : boolean?,
+}
+
+interface archive_store
+	-- Optional set of capabilities
+	caps   : {
+		-- Optional total count of matching items returned as second return value from :find()
+		"total" : boolean?,
+	}?
+
+	-- Add to the archive
+	append : ( self, string?, string?, any, number?, string? ) -> (string) | (nil, string)
+
+	-- Iterate over archive
+	find   : ( self, string?, archive_query? ) -> ( () -> ( string, any, number?, string? ), integer? )
+
+	-- Removal of items. API like find. Optional?
+	delete : ( self, string?, archive_query? ) -> (boolean) | (number) | (nil, string)
+
+	-- Array of dates which do have messages (Optional?)
+	dates  : ( self, string? ) -> ({ string }) | (nil, string)
+end
+
+-- This represents moduleapi
+interface module
+	-- If the first string is omitted then the name of the module is used
+	-- The second string is one of "keyval" (default), "map" or "archive"
+	open_store : (self, string?, string?) -> (keyval_store) | (map_store) | (archive_store) | (nil, string)
+
+	-- Other module methods omitted
+end
+
+module : module

--- a/man/prosodyctl.markdown	Wed Nov 23 17:27:44 2016 +0100
+++ b/man/prosodyctl.markdown	Sat Nov 26 20:11:03 2016 +0100
@@ -5,7 +5,7 @@
 date: '2015-12-23'
 section: 1
 title: PROSODYCTL
-...
+---
 
 NAME
 ====
@@ -80,6 +80,30 @@
 status
 :   Prints the current execution status of the prosody server daemon.
 
+Certificates
+------------
+
+prosodyctl can create self-signed certificates, certificate requests and
+private keys for use with Prosody. Commands are of the form
+`prosodyctl cert subcommand`. Commands take a list of hosts to be
+included in the certificate.
+
+request hosts
+:   Create a certificate request (CSR) file for submission to a
+    certificate authority. Multiple hosts can be given, sub-domains are
+    automatically included.
+
+generate hosts
+:   Generate a self-signed certificate.
+
+key host \[size\]
+:   Generate a private key of 'size' bits (defaults to 2048). Invoked
+    automatically by 'request' and 'generate' if needed.
+
+config hosts
+:   Produce a config file for the list of hosts. Invoked automatically
+    by 'request' and 'generate' if needed.
+
 Debugging
 ---------
 
@@ -110,6 +134,9 @@
 OPTIONS
 =======
 
+`--config filename`
+:   Use the specified config file instead of the default.
+
 `--help`
 :   Display help text for the specified command.
 

--- a/net/server_select.lua	Wed Nov 23 17:27:44 2016 +0100
+++ b/net/server_select.lua	Sat Nov 26 20:11:03 2016 +0100
@@ -416,6 +416,7 @@
 	end
 	handler.port = handler.clientport -- COMPAT server_event
 	local write = function( self, data )
+		if not handler then return false end
 		bufferlen = bufferlen + #data
 		if bufferlen > maxsendlen then
 			_closelist[ handler ] = "send buffer exceeded"	 -- cannot close the client at the moment, have to wait to the end of the cycle