On 2012/03/21 20:51, Stuart Henderson wrote: > On 2012/03/21 15:38, Todd T. Fries wrote: > > Separately, I'd also love to be able to specify the certificate by name > > per relay, as sometimes a given relayd instance might receive redirected > > traffic for multiple external addresses. Sure, with RFC1918 one can > > assign multiple addresses to the relayd system, but this would also be > > useful. > > > > Yes, I have this on my todo list, but if anybody beats me to coding either > > of the above, I will be glad to test ;-) > > http://www.mail-archive.com/tech@openbsd.org/msg02697.html >
Updated for -current. (I didn't think it was worth adding a new variable and passing it through from config, it seems easy enough to use like this). Index: relay.c =================================================================== RCS file: /cvs/src/usr.sbin/relayd/relay.c,v retrieving revision 1.144 diff -u -p -r1.144 relay.c --- relay.c 21 Jan 2012 13:40:48 -0000 1.144 +++ relay.c 21 Mar 2012 23:18:47 -0000 @@ -3139,6 +3139,7 @@ int relay_load_certfiles(struct relay *rlay) { struct protocol *proto = rlay->rl_proto; + int useport = htons(rlay->rl_conf.port); char certfile[PATH_MAX]; char hbuf[sizeof("ffff:ffff:ffff:ffff:ffff:ffff:255.255.255.255")]; @@ -3156,16 +3157,29 @@ relay_load_certfiles(struct relay *rlay) return (-1); if (snprintf(certfile, sizeof(certfile), - "/etc/ssl/%s.crt", hbuf) == -1) + "/etc/ssl/%s:%u.crt", hbuf, useport) == -1) return (-1); if ((rlay->rl_ssl_cert = relay_load_file(certfile, - &rlay->rl_conf.ssl_cert_len)) == NULL) - return (-1); + &rlay->rl_conf.ssl_cert_len)) == NULL) { + if (snprintf(certfile, sizeof(certfile), + "/etc/ssl/%s.crt", hbuf) == -1) + return (-1); + if ((rlay->rl_ssl_cert = relay_load_file(certfile, + &rlay->rl_conf.ssl_cert_len)) == NULL) + return (-1); + useport = 0; + } log_debug("%s: using certificate %s", __func__, certfile); - if (snprintf(certfile, sizeof(certfile), - "/etc/ssl/private/%s.key", hbuf) == -1) - return -1; + if (useport) { + if (snprintf(certfile, sizeof(certfile), + "/etc/ssl/private/%s:%u.key", hbuf, useport) == -1) + return -1; + } else { + if (snprintf(certfile, sizeof(certfile), + "/etc/ssl/private/%s.key", hbuf) == -1) + return -1; + } if ((rlay->rl_ssl_key = relay_load_file(certfile, &rlay->rl_conf.ssl_key_len)) == NULL) return (-1); Index: relayd.conf.5 =================================================================== RCS file: /cvs/src/usr.sbin/relayd/relayd.conf.5,v retrieving revision 1.125 diff -u -p -r1.125 relayd.conf.5 --- relayd.conf.5 20 Jan 2012 12:16:41 -0000 1.125 +++ relayd.conf.5 21 Mar 2012 23:18:47 -0000 @@ -632,13 +632,19 @@ If the .Ic ssl keyword is present, the relay will accept connections using the encrypted SSL protocol. -The relay will look up a private key in -.Pa /etc/ssl/private/address.key +The relay will attempt to look up a private key in +.Pa /etc/ssl/private/address:port.key and a public certificate in -.Pa /etc/ssl/address.crt , +.Pa /etc/ssl/address:port.crt , where .Ar address -is the specified IP address of the relay to listen on. +is the specified IP address and +.Ar port +is the specified port that the relay listens on. +If these files are not present, the relay will continue to look in +.Pa /etc/ssl/private/address.key +and +.Pa /etc/ssl/address.crt . See .Xr ssl 8 for details about SSL server certificates.