From: Rafael Sadowski <rafael@sizeofvoid.org>
Subject: Re: Relayd doesn't like ecdsa
To: Omar Polo <op@omarpolo.com>
Cc: Mischa <bsdnl@mlst.nl>, Theo Buehler <tb@theobuehler.org>,  Tech <tech@openbsd.org>
Date: Fri, 29 May 2026 12:38:17 +0200

On Wed May 27, 2026 at 07:04:39AM +0200, Rafael Sadowski wrote:
> On Sat Apr 25, 2026 at 07:10:42PM +0200, Omar Polo wrote:
> > Hello,
> > 
> > Mischa <bsdnl@mlst.nl> wrote:
> > > On 2026-04-23 14:25, Theo Buehler wrote:
> > > > On Thu, Apr 23, 2026 at 02:07:45PM +0200, Mischa wrote:
> > > >> Hi All,
> > > >> 
> > > >> When using edcsa within acme-client.conf, relayd is unable to use the
> > > >> key/cert, it seems to be looking for an RSA key/cert specifically. Is 
> > > >> there
> > > >> a way to go around this?
> > > > 
> > > > No. The privsep stuff has only RSA wired up. Someone motivated could
> > > > probably crib from smtpd's ca.c.
> > > 
> > > I wish I had the skilzzz. :/
> > > Willing to incentivize where possible. :)
> > 
> > some time ago while working on smtpd's ca.c I wrote an implementation
> > for relayd, mostly to validate my understanding.  I was too scared to
> > share it, I don't use relayd normally, and I try to stay a little bit
> > away from it in general.  (sorry, I found it confusing!)
> > 
> > Anyway, I tried to resurrect the diff.  It works for me with a stupid
> > small config and an ec key generated with:
> 
> That's really cool; I borrowed a similar approach from smptd, but it
> was still a work in progress.
> 
> A few comments below. I would add this to the tests.
> 
> > 
> > 	key=...
> > 	pem=...
> > 	openssl ecparam -name secp384r1 -genkey -noout -out "${key}"
> > 	openssl req -new -x509 -key "${key}" -out "${pem}" -days 365 \
> > 		-nodes -subj "/CN=localhost"
> > 				
> > can you give it a spin?  there are chances it might work =)
> > 
> > I don't like how we reuse the cko struct in ca_dispatch_relay(), but
> > that's what was already done in the RSA case.
> > 

Here is the EC regress test:


diff --git a/regress/usr.sbin/relayd/Makefile b/regress/usr.sbin/relayd/Makefile
index bcc238ca4ac..a199e9ab731 100644
--- a/regress/usr.sbin/relayd/Makefile
+++ b/regress/usr.sbin/relayd/Makefile
@@ -37,8 +37,10 @@ REMOTE_ADDR ?=
 REMOTE_SSH ?=
 
 # Automatically generate regress targets from test cases in directory.
+# EC tests are handled separately to avoid overwriting the RSA cert.
 
-ARGS !=			cd ${.CURDIR} && ls args-*.pl
+ARGS_EC !=		cd ${.CURDIR} && ls args-*-ec.pl
+ARGS !=			cd ${.CURDIR} && ls args-*.pl | grep -v -- -ec\.pl
 CLEANFILES +=		*.log relayd.conf ktrace.out stamp-*
 CLEANFILES +=		*.pem *.req *.crt *.key *.srl
 
@@ -68,6 +70,23 @@ run-$a: $a
 .endif
 .endfor
 
+# EC tests
+.for a in ${ARGS_EC}
+REGRESS_TARGETS +=	run-$a
+run-$a: $a server.crt client.crt 127.0.0.1-ec.crt
+.if empty (REMOTE_SSH)
+	${SUDO} cp 127.0.0.1-ec.crt /etc/ssl/127.0.0.1.crt
+	${SUDO} cp 127.0.0.1-ec.key /etc/ssl/private/127.0.0.1.key
+	time SUDO="${SUDO}" KTRACE=${KTRACE} RELAYD=${RELAYD} perl ${PERLINC} ${PERLPATH}relayd.pl copy ${PERLPATH}$a
+	time SUDO="${SUDO}" KTRACE=${KTRACE} RELAYD=${RELAYD} perl ${PERLINC} ${PERLPATH}relayd.pl splice ${PERLPATH}$a
+.else
+	scp ${REMOTE_ADDR}-ec.crt root@${REMOTE_SSH}:/etc/ssl/${REMOTE_ADDR}.crt
+	scp ${REMOTE_ADDR}-ec.key root@${REMOTE_SSH}:/etc/ssl/private/${REMOTE_ADDR}.key
+	time SUDO="${SUDO}" KTRACE=${KTRACE} RELAYD=${RELAYD} perl ${PERLINC} ${PERLPATH}remote.pl copy ${LOCAL_ADDR} ${REMOTE_ADDR} ${REMOTE_SSH} ${PERLPATH}$a
+	time SUDO="${SUDO}" KTRACE=${KTRACE} RELAYD=${RELAYD} perl ${PERLINC} ${PERLPATH}remote.pl splice ${LOCAL_ADDR} ${REMOTE_ADDR} ${REMOTE_SSH} ${PERLPATH}$a
+.endif
+.endfor
+
 # create certificates for TLS
 
 .for ip in ${REMOTE_ADDR} 127.0.0.1
@@ -85,6 +104,14 @@ ${ip}.crt: ca.crt client-ca.crt
 	scp ca.crt ca.key ${REMOTE_SSH}:
 	scp client-ca.crt client-ca.key ${REMOTE_SSH}:
 .endif
+
+${ip}-ec.crt:
+	openssl ecparam -name secp384r1 -genkey -noout \
+	    -out ${ip}-ec.key
+	openssl req -batch -new -x509 \
+	    -subj /L=OpenBSD/O=relayd-regress/OU=relayd/CN=${ip}/ \
+	    -key ${ip}-ec.key \
+	    -out $@
 .endfor
 
 ca.crt client-ca.crt:
@@ -120,8 +147,8 @@ ${REGRESS_TARGETS:M*ssl*} ${REGRESS_TARGETS:M*https*}: ${REMOTE_ADDR}.crt
 
 syntax: stamp-syntax
 
-stamp-syntax: ${ARGS}
-.for a in ${ARGS}
+stamp-syntax: ${ARGS} ${ARGS_EC}
+.for a in ${ARGS} ${ARGS_EC}
 	@perl -c ${PERLPATH}$a
 .endfor
 	@date >$@
diff --git a/regress/usr.sbin/relayd/args-ssl-ec.pl b/regress/usr.sbin/relayd/args-ssl-ec.pl
new file mode 100644
index 00000000000..b4059a7bf25
--- /dev/null
+++ b/regress/usr.sbin/relayd/args-ssl-ec.pl
@@ -0,0 +1,22 @@
+# test ssl connection with EC key
+
+use strict;
+use warnings;
+
+our %args = (
+    client => {
+	ssl => 1,
+	loggrep => 'Issuer.*/OU=relayd/',
+    },
+    relayd => {
+	forwardssl => 1,
+	listenssl => 1,
+    },
+    server => {
+	ssl => 1,
+    },
+    len => 251,
+    md5 => "bc3a3f39af35fe5b1687903da2b00c7f",
+);
+
+1;