Hello!
I think I found a bug in relayd, but maybe I misunderstood
how to configure it:
Bug reproduced (with a cert setup) as below:
$ cat /etc/relayd.conf:
table <"http"> { 127.0.0.1 }
http protocol "https" {
tls keypair "lap1.josuah.net"
}
relay "https" {
listen on 127.0.0.1 port 443 tls
listen on ::1 port 443 tls
protocol "https"
forward to <"http"> port 80 check tcp
}
$ ktrace relayd -dvv # without the patch applied
...
87874 relayd CALL open(0x7f7ffffe76d0,0<O_RDONLY>)
87874 relayd NAMI "/etc/ssl/::1:443.crt"
87874 relayd RET open -1 errno 2 No such file or directory
87874 relayd CALL open(0x7f7ffffe76d0,0<O_RDONLY>)
87874 relayd NAMI "/etc/ssl/::1.crt"
87874 relayd RET open -1 errno 2 No such file or directory
...
The second "listen" block inherit its configuration from the
first, and /etc/ssl/::1.crt as certificate instead of the
keypair list.
Although, even with the patch it does not work on the extra
listen address (the one replicated):
$ openssl s_client -connect ::1:443 -servername lap1.josuah.net
CONNECTED(00000003)
5110093530528:error:1400A410:SSL routines:CONNECT_CR_CERT_REQ:sslv3 alert
handshake failure:/usr/src/lib/libssl/tls13_lib.c:129:SSL alert number 40
---
no peer certificate available
If anyone has an idea on how to allow multiple listen
as shown in the example, I am interested.
The patch:
Check that there are no certificates in the keypair list
before searching the default /etc/ssl/$address.crt
certificate.
Index: src/usr.sbin/relayd/parse.y
===================================================================
RCS file: /cvs/src/usr.sbin/relayd/parse.y,v
retrieving revision 1.253
diff -u -r1.253 parse.y
--- src/usr.sbin/relayd/parse.y 15 Oct 2021 15:01:28 -0000 1.253
+++ src/usr.sbin/relayd/parse.y 17 Aug 2022 11:52:34 -0000
@@ -3421,7 +3421,8 @@
goto err;
}
- if (relay_load_certfiles(conf, rb, NULL) == -1) {
+ if (TAILQ_EMPTY(&rb->rl_proto->tlscerts) &&
+ relay_load_certfiles(conf, rb, NULL) == -1) {
yyerror("cannot load certificates for relay %s",
rb->rl_conf.name);
