Index | Thread | Search

From:
Kirill A. Korinsky <kirill@korins.ky>
Subject:
Re: relayd: support TLS with multiple listeners
To:
tech@openbsd.org, rafael@sizeofvoid.org
Date:
Sun, 05 Apr 2026 21:16:49 +0200

Download raw body.

Thread 
On Sun, 29 Mar 2026 22:41:16 +0200,
Kirill A. Korinsky <kirill@korins.ky> wrote:
> 
> tech@,
> 
> relayd with trivial config:
> 
> table <httpd>           { 127.0.0.1 }
> 
> http protocol https {
> 	tls keypair test
> 
>         pass forward to <httpd>
> }
> 
> relay https {
>         listen on egress port 443 tls
>         listen on egress port 444 tls
>         protocol https
> 
>         forward to <httpd> port http
> }
> 
> fails as:
> 
> relayd.conf:18: cannot load keypair test for relay https
> 
> A but seems to be in relay_inherit() which runs only
> relay_load_certfiles(conf, rb, NULL) unconditionally which isn't alligned
> with logic in parser when it parse relay block, where multiple certificates
> are load as relay_load_certfiles(conf, rb, NULL) only if here no tlscerts
> (for default host) and otherwise it loads keypairs.
> 
> Tested with and without keypair in protocol block with one and many listen.
> 
> Thoughts? OK?
>

Anyone?

Index: usr.sbin/relayd/parse.y
===================================================================
RCS file: /home/cvs/src/usr.sbin/relayd/parse.y,v
diff -u -p -r1.261 parse.y
--- usr.sbin/relayd/parse.y	3 Mar 2026 19:51:41 -0000	1.261
+++ usr.sbin/relayd/parse.y	29 Mar 2026 20:30:33 -0000
@@ -3409,6 +3409,7 @@ struct relay *
 relay_inherit(struct relay *ra, struct relay *rb)
 {
 	struct relay_config	 rc;
+	struct keyname		*name;
 	struct relay_table	*rta, *rtb;
 
 	bcopy(&rb->rl_conf, &rc, sizeof(rc));
@@ -3444,10 +3445,18 @@ relay_inherit(struct relay *ra, struct r
 		goto err;
 	}
 
-	if (relay_load_certfiles(conf, rb, NULL) == -1) {
+	if (TAILQ_EMPTY(&rb->rl_proto->tlscerts) &&
+	    relay_load_certfiles(conf, rb, NULL) == -1) {
 		yyerror("cannot load certificates for relay %s",
 		    rb->rl_conf.name);
 		goto err;
+	}
+	TAILQ_FOREACH(name, &rb->rl_proto->tlscerts, entry) {
+		if (relay_load_certfiles(conf, rb, name->name) == -1) {
+			yyerror("cannot load keypair %s for relay %s",
+			    name->name, rb->rl_conf.name);
+			goto err;
+		}
 	}
 
 	TAILQ_FOREACH(rta, &ra->rl_tables, rlt_entry) {



-- 
wbr, Kirill