From: Kirill A. Korinsky Subject: relayd: support TLS with multiple listeners To: OpenBSD tech Cc: Rafael Sadowski Date: Sun, 29 Mar 2026 22:41:16 +0200 tech@, relayd with trivial config: table { 127.0.0.1 } http protocol https { tls keypair test pass forward to } relay https { listen on egress port 443 tls listen on egress port 444 tls protocol https forward to port http } fails as: relayd.conf:18: cannot load keypair test for relay https A but seems to be in relay_inherit() which runs only relay_load_certfiles(conf, rb, NULL) unconditionally which isn't alligned with logic in parser when it parse relay block, where multiple certificates are load as relay_load_certfiles(conf, rb, NULL) only if here no tlscerts (for default host) and otherwise it loads keypairs. Tested with and without keypair in protocol block with one and many listen. Thoughts? OK? Index: usr.sbin/relayd/parse.y =================================================================== RCS file: /home/cvs/src/usr.sbin/relayd/parse.y,v diff -u -p -r1.261 parse.y --- usr.sbin/relayd/parse.y 3 Mar 2026 19:51:41 -0000 1.261 +++ usr.sbin/relayd/parse.y 29 Mar 2026 20:30:33 -0000 @@ -3409,6 +3409,7 @@ struct relay * relay_inherit(struct relay *ra, struct relay *rb) { struct relay_config rc; + struct keyname *name; struct relay_table *rta, *rtb; bcopy(&rb->rl_conf, &rc, sizeof(rc)); @@ -3444,10 +3445,18 @@ relay_inherit(struct relay *ra, struct r goto err; } - if (relay_load_certfiles(conf, rb, NULL) == -1) { + if (TAILQ_EMPTY(&rb->rl_proto->tlscerts) && + relay_load_certfiles(conf, rb, NULL) == -1) { yyerror("cannot load certificates for relay %s", rb->rl_conf.name); goto err; + } + TAILQ_FOREACH(name, &rb->rl_proto->tlscerts, entry) { + if (relay_load_certfiles(conf, rb, name->name) == -1) { + yyerror("cannot load keypair %s for relay %s", + name->name, rb->rl_conf.name); + goto err; + } } TAILQ_FOREACH(rta, &ra->rl_tables, rlt_entry) { -- wbr, Kirill