From: Mischa Subject: Re: Relayd doesn't like ecdsa To: Rafael Sadowski Cc: Omar Polo , Theo Buehler , Tech Date: Wed, 03 Jun 2026 12:45:27 +0200 Hi Rafael, Not sure if this is relevant in this thread but... I got this message yesterday and the relayd process stopped. This is with the initial patch which Omar provided, running on 7.9. Jun 2 21:18:49 obsdams relayd[69181]: ecdsae_send_enc_imsg: priv ecdsa poll timeout, keyop #29f3 Jun 2 21:18:49 obsdams relayd[69181]: fatal in relay: proc_dispatch: relay 1 got invalid imsg 61 peerid -1 from ca 1 Jun 2 21:18:49 obsdams relayd[33605]: lost child: pid 69181 exited abnormally Jun 2 21:18:50 obsdams relayd[33597]: ecdsae_send_enc_imsg: imsgbuf_flush: Broken pipe Mischa On 2026-05-29 12:38, Rafael Sadowski wrote: > On Wed May 27, 2026 at 07:04:39AM +0200, Rafael Sadowski wrote: >> On Sat Apr 25, 2026 at 07:10:42PM +0200, Omar Polo wrote: >> > Hello, >> > >> > Mischa wrote: >> > > On 2026-04-23 14:25, Theo Buehler wrote: >> > > > On Thu, Apr 23, 2026 at 02:07:45PM +0200, Mischa wrote: >> > > >> Hi All, >> > > >> >> > > >> When using edcsa within acme-client.conf, relayd is unable to use the >> > > >> key/cert, it seems to be looking for an RSA key/cert specifically. Is >> > > >> there >> > > >> a way to go around this? >> > > > >> > > > No. The privsep stuff has only RSA wired up. Someone motivated could >> > > > probably crib from smtpd's ca.c. >> > > >> > > I wish I had the skilzzz. :/ >> > > Willing to incentivize where possible. :) >> > >> > some time ago while working on smtpd's ca.c I wrote an implementation >> > for relayd, mostly to validate my understanding. I was too scared to >> > share it, I don't use relayd normally, and I try to stay a little bit >> > away from it in general. (sorry, I found it confusing!) >> > >> > Anyway, I tried to resurrect the diff. It works for me with a stupid >> > small config and an ec key generated with: >> >> That's really cool; I borrowed a similar approach from smptd, but it >> was still a work in progress. >> >> A few comments below. I would add this to the tests. >> >> > >> > key=... >> > pem=... >> > openssl ecparam -name secp384r1 -genkey -noout -out "${key}" >> > openssl req -new -x509 -key "${key}" -out "${pem}" -days 365 \ >> > -nodes -subj "/CN=localhost" >> > >> > can you give it a spin? there are chances it might work =) >> > >> > I don't like how we reuse the cko struct in ca_dispatch_relay(), but >> > that's what was already done in the RSA case. >> > > > Here is the EC regress test: > > > diff --git a/regress/usr.sbin/relayd/Makefile > b/regress/usr.sbin/relayd/Makefile > index bcc238ca4ac..a199e9ab731 100644 > --- a/regress/usr.sbin/relayd/Makefile > +++ b/regress/usr.sbin/relayd/Makefile > @@ -37,8 +37,10 @@ REMOTE_ADDR ?= > REMOTE_SSH ?= > > # Automatically generate regress targets from test cases in directory. > +# EC tests are handled separately to avoid overwriting the RSA cert. > > -ARGS != cd ${.CURDIR} && ls args-*.pl > +ARGS_EC != cd ${.CURDIR} && ls args-*-ec.pl > +ARGS != cd ${.CURDIR} && ls args-*.pl | grep -v -- -ec\.pl > CLEANFILES += *.log relayd.conf ktrace.out stamp-* > CLEANFILES += *.pem *.req *.crt *.key *.srl > > @@ -68,6 +70,23 @@ run-$a: $a > .endif > .endfor > > +# EC tests > +.for a in ${ARGS_EC} > +REGRESS_TARGETS += run-$a > +run-$a: $a server.crt client.crt 127.0.0.1-ec.crt > +.if empty (REMOTE_SSH) > + ${SUDO} cp 127.0.0.1-ec.crt /etc/ssl/127.0.0.1.crt > + ${SUDO} cp 127.0.0.1-ec.key /etc/ssl/private/127.0.0.1.key > + time SUDO="${SUDO}" KTRACE=${KTRACE} RELAYD=${RELAYD} perl ${PERLINC} > ${PERLPATH}relayd.pl copy ${PERLPATH}$a > + time SUDO="${SUDO}" KTRACE=${KTRACE} RELAYD=${RELAYD} perl ${PERLINC} > ${PERLPATH}relayd.pl splice ${PERLPATH}$a > +.else > + scp ${REMOTE_ADDR}-ec.crt > root@${REMOTE_SSH}:/etc/ssl/${REMOTE_ADDR}.crt > + scp ${REMOTE_ADDR}-ec.key > root@${REMOTE_SSH}:/etc/ssl/private/${REMOTE_ADDR}.key > + time SUDO="${SUDO}" KTRACE=${KTRACE} RELAYD=${RELAYD} perl ${PERLINC} > ${PERLPATH}remote.pl copy ${LOCAL_ADDR} ${REMOTE_ADDR} ${REMOTE_SSH} > ${PERLPATH}$a > + time SUDO="${SUDO}" KTRACE=${KTRACE} RELAYD=${RELAYD} perl ${PERLINC} > ${PERLPATH}remote.pl splice ${LOCAL_ADDR} ${REMOTE_ADDR} ${REMOTE_SSH} > ${PERLPATH}$a > +.endif > +.endfor > + > # create certificates for TLS > > .for ip in ${REMOTE_ADDR} 127.0.0.1 > @@ -85,6 +104,14 @@ ${ip}.crt: ca.crt client-ca.crt > scp ca.crt ca.key ${REMOTE_SSH}: > scp client-ca.crt client-ca.key ${REMOTE_SSH}: > .endif > + > +${ip}-ec.crt: > + openssl ecparam -name secp384r1 -genkey -noout \ > + -out ${ip}-ec.key > + openssl req -batch -new -x509 \ > + -subj /L=OpenBSD/O=relayd-regress/OU=relayd/CN=${ip}/ \ > + -key ${ip}-ec.key \ > + -out $@ > .endfor > > ca.crt client-ca.crt: > @@ -120,8 +147,8 @@ ${REGRESS_TARGETS:M*ssl*} > ${REGRESS_TARGETS:M*https*}: ${REMOTE_ADDR}.crt > > syntax: stamp-syntax > > -stamp-syntax: ${ARGS} > -.for a in ${ARGS} > +stamp-syntax: ${ARGS} ${ARGS_EC} > +.for a in ${ARGS} ${ARGS_EC} > @perl -c ${PERLPATH}$a > .endfor > @date >$@ > diff --git a/regress/usr.sbin/relayd/args-ssl-ec.pl > b/regress/usr.sbin/relayd/args-ssl-ec.pl > new file mode 100644 > index 00000000000..b4059a7bf25 > --- /dev/null > +++ b/regress/usr.sbin/relayd/args-ssl-ec.pl > @@ -0,0 +1,22 @@ > +# test ssl connection with EC key > + > +use strict; > +use warnings; > + > +our %args = ( > + client => { > + ssl => 1, > + loggrep => 'Issuer.*/OU=relayd/', > + }, > + relayd => { > + forwardssl => 1, > + listenssl => 1, > + }, > + server => { > + ssl => 1, > + }, > + len => 251, > + md5 => "bc3a3f39af35fe5b1687903da2b00c7f", > +); > + > +1;