Mailing List Archive

From:: Mischa <openbsd@mlst.nl>
Subject:: relayd w/ ipv6 not loading SNI certs
To:: Tech <tech@openbsd.org>
Date:: Tue, 28 Apr 2026 15:06:14 +0200

Download raw body.

Thread

2026-04-28 13:06 Mischa:
relayd w/ ipv6 not loading SNI certs
- 2026-04-28 20:23 Mischa:
  relayd w/ ipv6 not loading SNI certs

Hi All,

When using SNI within relayd and have IPv6 configured, it seems it's 
still looking for 2a03:6000:xx::xx.crt and 2a03:6000:xx::xx.key.

# relayd -n -vvv
relay_load_certfiles: using certificate /etc/ssl/xxx.high5.nl.crt
relay_load_certfiles: using private key 
/etc/ssl/private/xxx.high5.nl.key
/etc/relayd.conf:62: cannot load certificates for relay default_tls2:443

#
local_v4 = "46.23.xx.xx"
local_v6 = "2a03:6000:xx::xx"
table <localhost> { 127.0.0.1 }
http protocol httpsfilter {
   tcp { nodelay, sack }
   tls keypair xxx.high5.nl
   tls { ciphers 
"ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305:AES-256-GCM-SHA384", 
ecdhe "default", no client-renegotiation }

relay default_tls {
   listen on $local_v4 port 443 tls
   listen on $local_v6 port 443 tls
   protocol httpsfilter
   forward to <localhost> port 443
}
#

Without "listen on $local_v6 port 443 tls" everything works like a 
charm.

Mischa

2026-04-28 13:06 Mischa:
relayd w/ ipv6 not loading SNI certs
- 2026-04-28 20:23 Mischa:
  relayd w/ ipv6 not loading SNI certs