I'm on -current, httpd throws tls misconfig error when different
cipher or ecdhe used but it's bypassed by listen statment.
server "domain.tld" {
listen on * tls port 443
log style combined
hsts
{
subdomains
}
root "/htdocs/domain.tld/"
tls {
certificate "/etc/ssl/domain.tld.fullchain.pem"
key "/etc/ssl/private/domain.tld.key"
ciphers "HIGH:!AES128:!kRSA:!aNULL"
ecdhe "P-384,P-256,X25519"
}
location "/pub/*" {
directory auto index
}
location "/.well-known/mta-sts.txt" {
root "/mta-sts"
request strip 1
pass
}
location "/.well-known/acme-challenge/*" {
root "/acme"
request strip 2
}
}
server "sub.domain.tld" {
# listen on <some_add> port <random_port>
# note: adding before tls
# listen on 0.0.0.0 port 8080
listen on * tls port 443
root "/htdocs/sub.domain.tld"
tls {
certificate "/etc/ssl/domain.tld.fullchain.pem"
key "/etc/ssl/private/domain.tld.key"
}
hsts {
max-age 15768000
preload
subdomains
}
connection max request body 104857600
location "/*" {
fastcgi {
param SCRIPT_FILENAME "/cgi-bin/scm"
param SCRIPT_NAME " "
}
}
location "/.well-known/acme-challenge/*" {
root "/acme"
request strip 2
}
}
$ doas httpd -nv
server "sub.domain.tld": tls configuration mismatch on same address/port
instead of defining same cipher and ecdhe, uncommenting
"listen on 0.0.0.0 port 8080"
bypasses this error
I'm unsure what causes this, can someone shed some light?
