From: Kirill A. Korinsky <kirill@korins.ky>
Subject: Re: relayd: support explicit paths for keypair
To: Rafael Sadowski <rafael@sizeofvoid.org>
Cc: tech@openbsd.org
Date: Sat, 09 May 2026 19:21:10 +0200

On Sat, 09 May 2026 19:06:00 +0200,
Rafael Sadowski <rafael@sizeofvoid.org> wrote:
> 
> 
> This is the correct syntax:
> 
>          tls keypair xxx cert /etc/ssl/test.crt
>          tls keypair xxx key /etc/ssl/private/test.key
> 
> 
>

Well, I read line

             keypair name [cert path [key path [ocsp path]]]

from a man like cert/key/ocsp should be in one line and ocsp path might be
specified only when cert and key exists.

Anyway, I've tried your suggested syntax and it doesn't work:

relayd $ doas stat /etc/ssl/test.crt
1088 78678 -rw-r--r-- 1 root wheel 342741 1980 "Mar 29 22:28:46 2026" "Mar 29 22:28:46 2026" "Mar 29 22:30:11 2026" 16384 4 0 /etc/ssl/test.crt
relayd $ doas stat /etc/ssl/private/test.key
1088 78675 -rw-r--r-- 1 root wheel 327156 3272 "Mar 29 22:28:46 2026" "Mar 29 22:28:46 2026" "Mar 29 22:28:46 2026" 16384 8 0 /etc/ssl/private/test.key
relayd $ make
relayd $ cat relayd.conf                                                                                                                   
table <httpd> { 127.0.0.1 }

http protocol https {
        tls keypair xxx cert /etc/ssl/test.crt
        tls keypair xxx key /etc/ssl/private/test.key
}

relay https {
        listen on egress port 443 tls
        protocol https

        forward to <httpd> port 80
}
relayd $ doas ./obj/relayd -n -f relayd.conf 
relayd.conf:4: syntax error
relayd.conf:10: no such protocol: https
no actions, nothing to do
relayd $


-- 
wbr, Kirill