Index | Thread | Search

From:
Rafael Sadowski <rafael@sizeofvoid.org>
Subject:
Re: relayd: support TLS with multiple listeners
To:
tech@openbsd.org
Date:
Mon, 6 Apr 2026 08:05:44 +0200

Download raw body.

Thread 
On Sun Apr 05, 2026 at 09:16:49PM +0200, Kirill A. Korinsky wrote:
> On Sun, 29 Mar 2026 22:41:16 +0200,
> Kirill A. Korinsky <kirill@korins.ky> wrote:
> > 
> > tech@,
> > 
> > relayd with trivial config:
> > 
> > table <httpd>           { 127.0.0.1 }
> > 
> > http protocol https {
> > 	tls keypair test
> > 
> >         pass forward to <httpd>
> > }
> > 
> > relay https {
> >         listen on egress port 443 tls
> >         listen on egress port 444 tls
> >         protocol https
> > 
> >         forward to <httpd> port http
> > }
> > 
> > fails as:
> > 
> > relayd.conf:18: cannot load keypair test for relay https
> > 
> > A but seems to be in relay_inherit() which runs only
> > relay_load_certfiles(conf, rb, NULL) unconditionally which isn't alligned
> > with logic in parser when it parse relay block, where multiple certificates
> > are load as relay_load_certfiles(conf, rb, NULL) only if here no tlscerts
> > (for default host) and otherwise it loads keypairs.
> > 
> > Tested with and without keypair in protocol block with one and many listen.
> > 
> > Thoughts? OK?
> >
> 
> Anyone?
> 

That makes perfect sense to me. We've got quite a few problems in
the config process and this fixes one of them

OK rsadowski

> Index: usr.sbin/relayd/parse.y
> ===================================================================
> RCS file: /home/cvs/src/usr.sbin/relayd/parse.y,v
> diff -u -p -r1.261 parse.y
> --- usr.sbin/relayd/parse.y	3 Mar 2026 19:51:41 -0000	1.261
> +++ usr.sbin/relayd/parse.y	29 Mar 2026 20:30:33 -0000
> @@ -3409,6 +3409,7 @@ struct relay *
>  relay_inherit(struct relay *ra, struct relay *rb)
>  {
>  	struct relay_config	 rc;
> +	struct keyname		*name;
>  	struct relay_table	*rta, *rtb;
>  
>  	bcopy(&rb->rl_conf, &rc, sizeof(rc));
> @@ -3444,10 +3445,18 @@ relay_inherit(struct relay *ra, struct r
>  		goto err;
>  	}
>  
> -	if (relay_load_certfiles(conf, rb, NULL) == -1) {
> +	if (TAILQ_EMPTY(&rb->rl_proto->tlscerts) &&
> +	    relay_load_certfiles(conf, rb, NULL) == -1) {
>  		yyerror("cannot load certificates for relay %s",
>  		    rb->rl_conf.name);
>  		goto err;
> +	}
> +	TAILQ_FOREACH(name, &rb->rl_proto->tlscerts, entry) {
> +		if (relay_load_certfiles(conf, rb, name->name) == -1) {
> +			yyerror("cannot load keypair %s for relay %s",
> +			    name->name, rb->rl_conf.name);
> +			goto err;
> +		}
>  	}
>  
>  	TAILQ_FOREACH(rta, &ra->rl_tables, rlt_entry) {
> 
> 
> 
> -- 
> wbr, Kirill