From: Rafael Sadowski Subject: Re: relayd: support TLS with multiple listeners To: tech@openbsd.org Date: Mon, 6 Apr 2026 08:05:44 +0200 On Sun Apr 05, 2026 at 09:16:49PM +0200, Kirill A. Korinsky wrote: > On Sun, 29 Mar 2026 22:41:16 +0200, > Kirill A. Korinsky wrote: > > > > tech@, > > > > relayd with trivial config: > > > > table { 127.0.0.1 } > > > > http protocol https { > > tls keypair test > > > > pass forward to > > } > > > > relay https { > > listen on egress port 443 tls > > listen on egress port 444 tls > > protocol https > > > > forward to port http > > } > > > > fails as: > > > > relayd.conf:18: cannot load keypair test for relay https > > > > A but seems to be in relay_inherit() which runs only > > relay_load_certfiles(conf, rb, NULL) unconditionally which isn't alligned > > with logic in parser when it parse relay block, where multiple certificates > > are load as relay_load_certfiles(conf, rb, NULL) only if here no tlscerts > > (for default host) and otherwise it loads keypairs. > > > > Tested with and without keypair in protocol block with one and many listen. > > > > Thoughts? OK? > > > > Anyone? > That makes perfect sense to me. We've got quite a few problems in the config process and this fixes one of them OK rsadowski > Index: usr.sbin/relayd/parse.y > =================================================================== > RCS file: /home/cvs/src/usr.sbin/relayd/parse.y,v > diff -u -p -r1.261 parse.y > --- usr.sbin/relayd/parse.y 3 Mar 2026 19:51:41 -0000 1.261 > +++ usr.sbin/relayd/parse.y 29 Mar 2026 20:30:33 -0000 > @@ -3409,6 +3409,7 @@ struct relay * > relay_inherit(struct relay *ra, struct relay *rb) > { > struct relay_config rc; > + struct keyname *name; > struct relay_table *rta, *rtb; > > bcopy(&rb->rl_conf, &rc, sizeof(rc)); > @@ -3444,10 +3445,18 @@ relay_inherit(struct relay *ra, struct r > goto err; > } > > - if (relay_load_certfiles(conf, rb, NULL) == -1) { > + if (TAILQ_EMPTY(&rb->rl_proto->tlscerts) && > + relay_load_certfiles(conf, rb, NULL) == -1) { > yyerror("cannot load certificates for relay %s", > rb->rl_conf.name); > goto err; > + } > + TAILQ_FOREACH(name, &rb->rl_proto->tlscerts, entry) { > + if (relay_load_certfiles(conf, rb, name->name) == -1) { > + yyerror("cannot load keypair %s for relay %s", > + name->name, rb->rl_conf.name); > + goto err; > + } > } > > TAILQ_FOREACH(rta, &ra->rl_tables, rlt_entry) { > > > > -- > wbr, Kirill