Index | Thread | Search

From:
Mischa <openbsd@mlst.nl>
Subject:
Re: Relayd doesn't like ecdsa
To:
Rafael Sadowski <rafael@sizeofvoid.org>
Cc:
Omar Polo <op@omarpolo.com>, Theo Buehler <tb@theobuehler.org>, Tech <tech@openbsd.org>
Date:
Wed, 03 Jun 2026 12:45:27 +0200

Download raw body.

Thread 
Hi Rafael,

Not sure if this is relevant in this thread but...
I got this message yesterday and the relayd process stopped.
This is with the initial patch which Omar provided, running on 7.9.

Jun  2 21:18:49 obsdams relayd[69181]: ecdsae_send_enc_imsg: priv ecdsa 
poll timeout, keyop #29f3
Jun  2 21:18:49 obsdams relayd[69181]: fatal in relay: proc_dispatch: 
relay 1 got invalid imsg 61 peerid -1 from ca 1
Jun  2 21:18:49 obsdams relayd[33605]: lost child: pid 69181 exited 
abnormally
Jun  2 21:18:50 obsdams relayd[33597]: ecdsae_send_enc_imsg: 
imsgbuf_flush: Broken pipe

Mischa

On 2026-05-29 12:38, Rafael Sadowski wrote:
> On Wed May 27, 2026 at 07:04:39AM +0200, Rafael Sadowski wrote:
>> On Sat Apr 25, 2026 at 07:10:42PM +0200, Omar Polo wrote:
>> > Hello,
>> >
>> > Mischa <bsdnl@mlst.nl> wrote:
>> > > On 2026-04-23 14:25, Theo Buehler wrote:
>> > > > On Thu, Apr 23, 2026 at 02:07:45PM +0200, Mischa wrote:
>> > > >> Hi All,
>> > > >>
>> > > >> When using edcsa within acme-client.conf, relayd is unable to use the
>> > > >> key/cert, it seems to be looking for an RSA key/cert specifically. Is
>> > > >> there
>> > > >> a way to go around this?
>> > > >
>> > > > No. The privsep stuff has only RSA wired up. Someone motivated could
>> > > > probably crib from smtpd's ca.c.
>> > >
>> > > I wish I had the skilzzz. :/
>> > > Willing to incentivize where possible. :)
>> >
>> > some time ago while working on smtpd's ca.c I wrote an implementation
>> > for relayd, mostly to validate my understanding.  I was too scared to
>> > share it, I don't use relayd normally, and I try to stay a little bit
>> > away from it in general.  (sorry, I found it confusing!)
>> >
>> > Anyway, I tried to resurrect the diff.  It works for me with a stupid
>> > small config and an ec key generated with:
>> 
>> That's really cool; I borrowed a similar approach from smptd, but it
>> was still a work in progress.
>> 
>> A few comments below. I would add this to the tests.
>> 
>> >
>> > 	key=...
>> > 	pem=...
>> > 	openssl ecparam -name secp384r1 -genkey -noout -out "${key}"
>> > 	openssl req -new -x509 -key "${key}" -out "${pem}" -days 365 \
>> > 		-nodes -subj "/CN=localhost"
>> >
>> > can you give it a spin?  there are chances it might work =)
>> >
>> > I don't like how we reuse the cko struct in ca_dispatch_relay(), but
>> > that's what was already done in the RSA case.
>> >
> 
> Here is the EC regress test:
> 
> 
> diff --git a/regress/usr.sbin/relayd/Makefile 
> b/regress/usr.sbin/relayd/Makefile
> index bcc238ca4ac..a199e9ab731 100644
> --- a/regress/usr.sbin/relayd/Makefile
> +++ b/regress/usr.sbin/relayd/Makefile
> @@ -37,8 +37,10 @@ REMOTE_ADDR ?=
>  REMOTE_SSH ?=
> 
>  # Automatically generate regress targets from test cases in directory.
> +# EC tests are handled separately to avoid overwriting the RSA cert.
> 
> -ARGS !=			cd ${.CURDIR} && ls args-*.pl
> +ARGS_EC !=		cd ${.CURDIR} && ls args-*-ec.pl
> +ARGS !=			cd ${.CURDIR} && ls args-*.pl | grep -v -- -ec\.pl
>  CLEANFILES +=		*.log relayd.conf ktrace.out stamp-*
>  CLEANFILES +=		*.pem *.req *.crt *.key *.srl
> 
> @@ -68,6 +70,23 @@ run-$a: $a
>  .endif
>  .endfor
> 
> +# EC tests
> +.for a in ${ARGS_EC}
> +REGRESS_TARGETS +=	run-$a
> +run-$a: $a server.crt client.crt 127.0.0.1-ec.crt
> +.if empty (REMOTE_SSH)
> +	${SUDO} cp 127.0.0.1-ec.crt /etc/ssl/127.0.0.1.crt
> +	${SUDO} cp 127.0.0.1-ec.key /etc/ssl/private/127.0.0.1.key
> +	time SUDO="${SUDO}" KTRACE=${KTRACE} RELAYD=${RELAYD} perl ${PERLINC} 
> ${PERLPATH}relayd.pl copy ${PERLPATH}$a
> +	time SUDO="${SUDO}" KTRACE=${KTRACE} RELAYD=${RELAYD} perl ${PERLINC} 
> ${PERLPATH}relayd.pl splice ${PERLPATH}$a
> +.else
> +	scp ${REMOTE_ADDR}-ec.crt 
> root@${REMOTE_SSH}:/etc/ssl/${REMOTE_ADDR}.crt
> +	scp ${REMOTE_ADDR}-ec.key 
> root@${REMOTE_SSH}:/etc/ssl/private/${REMOTE_ADDR}.key
> +	time SUDO="${SUDO}" KTRACE=${KTRACE} RELAYD=${RELAYD} perl ${PERLINC} 
> ${PERLPATH}remote.pl copy ${LOCAL_ADDR} ${REMOTE_ADDR} ${REMOTE_SSH} 
> ${PERLPATH}$a
> +	time SUDO="${SUDO}" KTRACE=${KTRACE} RELAYD=${RELAYD} perl ${PERLINC} 
> ${PERLPATH}remote.pl splice ${LOCAL_ADDR} ${REMOTE_ADDR} ${REMOTE_SSH} 
> ${PERLPATH}$a
> +.endif
> +.endfor
> +
>  # create certificates for TLS
> 
>  .for ip in ${REMOTE_ADDR} 127.0.0.1
> @@ -85,6 +104,14 @@ ${ip}.crt: ca.crt client-ca.crt
>  	scp ca.crt ca.key ${REMOTE_SSH}:
>  	scp client-ca.crt client-ca.key ${REMOTE_SSH}:
>  .endif
> +
> +${ip}-ec.crt:
> +	openssl ecparam -name secp384r1 -genkey -noout \
> +	    -out ${ip}-ec.key
> +	openssl req -batch -new -x509 \
> +	    -subj /L=OpenBSD/O=relayd-regress/OU=relayd/CN=${ip}/ \
> +	    -key ${ip}-ec.key \
> +	    -out $@
>  .endfor
> 
>  ca.crt client-ca.crt:
> @@ -120,8 +147,8 @@ ${REGRESS_TARGETS:M*ssl*} 
> ${REGRESS_TARGETS:M*https*}: ${REMOTE_ADDR}.crt
> 
>  syntax: stamp-syntax
> 
> -stamp-syntax: ${ARGS}
> -.for a in ${ARGS}
> +stamp-syntax: ${ARGS} ${ARGS_EC}
> +.for a in ${ARGS} ${ARGS_EC}
>  	@perl -c ${PERLPATH}$a
>  .endfor
>  	@date >$@
> diff --git a/regress/usr.sbin/relayd/args-ssl-ec.pl 
> b/regress/usr.sbin/relayd/args-ssl-ec.pl
> new file mode 100644
> index 00000000000..b4059a7bf25
> --- /dev/null
> +++ b/regress/usr.sbin/relayd/args-ssl-ec.pl
> @@ -0,0 +1,22 @@
> +# test ssl connection with EC key
> +
> +use strict;
> +use warnings;
> +
> +our %args = (
> +    client => {
> +	ssl => 1,
> +	loggrep => 'Issuer.*/OU=relayd/',
> +    },
> +    relayd => {
> +	forwardssl => 1,
> +	listenssl => 1,
> +    },
> +    server => {
> +	ssl => 1,
> +    },
> +    len => 251,
> +    md5 => "bc3a3f39af35fe5b1687903da2b00c7f",
> +);
> +
> +1;