On Sat, August 15, 2020 7:13 pm, hisacro wrote:
> I'm on -current, httpd throws tls misconfig error when different
> cipher or ecdhe used but it's bypassed by listen statment.
>
> server "domain.tld" {
> listen on * tls port 443
> log style combined
> hsts
> {
> subdomains
> }
> root "/htdocs/domain.tld/"
> tls {
> certificate "/etc/ssl/domain.tld.fullchain.pem"
> key "/etc/ssl/private/domain.tld.key"
> ciphers "HIGH:!AES128:!kRSA:!aNULL"
> ecdhe "P-384,P-256,X25519"
> }
>
>
> server "sub.domain.tld" {
> # listen on <some_add> port <random_port>
> # note: adding before tls
> # listen on 0.0.0.0 port 8080
> listen on * tls port 443
> root "/htdocs/sub.domain.tld"
> tls {
> certificate "/etc/ssl/domain.tld.fullchain.pem"
> key "/etc/ssl/private/domain.tld.key"
> }
>
> $ doas httpd -nv
> server "sub.domain.tld": tls configuration mismatch on same address/port
>
> instead of defining same cipher and ecdhe, uncommenting
> "listen on 0.0.0.0 port 8080"
> bypasses this error
>
> I'm unsure what causes this, can someone shed some light?
>
It's what the error says. You're listening twice on the same ip and port
but with different tls blocks.
