On 2012/03/21 20:51, Stuart Henderson wrote:
> On 2012/03/21 15:38, Todd T. Fries wrote:
> > Separately, I'd also love to be able to specify the certificate by name
> > per relay, as sometimes a given relayd instance might receive redirected
> > traffic for multiple external addresses. Sure, with RFC1918 one can
> > assign multiple addresses to the relayd system, but this would also be
> > useful.
> >
> > Yes, I have this on my todo list, but if anybody beats me to coding either
> > of the above, I will be glad to test ;-)
>
> http://www.mail-archive.com/tech@openbsd.org/msg02697.html
>
Updated for -current. (I didn't think it was worth adding a new
variable and passing it through from config, it seems easy enough
to use like this).
Index: relay.c
===================================================================
RCS file: /cvs/src/usr.sbin/relayd/relay.c,v
retrieving revision 1.144
diff -u -p -r1.144 relay.c
--- relay.c 21 Jan 2012 13:40:48 -0000 1.144
+++ relay.c 21 Mar 2012 23:18:47 -0000
@@ -3139,6 +3139,7 @@ int
relay_load_certfiles(struct relay *rlay)
{
struct protocol *proto = rlay->rl_proto;
+ int useport = htons(rlay->rl_conf.port);
char certfile[PATH_MAX];
char hbuf[sizeof("ffff:ffff:ffff:ffff:ffff:ffff:255.255.255.255")];
@@ -3156,16 +3157,29 @@ relay_load_certfiles(struct relay *rlay)
return (-1);
if (snprintf(certfile, sizeof(certfile),
- "/etc/ssl/%s.crt", hbuf) == -1)
+ "/etc/ssl/%s:%u.crt", hbuf, useport) == -1)
return (-1);
if ((rlay->rl_ssl_cert = relay_load_file(certfile,
- &rlay->rl_conf.ssl_cert_len)) == NULL)
- return (-1);
+ &rlay->rl_conf.ssl_cert_len)) == NULL) {
+ if (snprintf(certfile, sizeof(certfile),
+ "/etc/ssl/%s.crt", hbuf) == -1)
+ return (-1);
+ if ((rlay->rl_ssl_cert = relay_load_file(certfile,
+ &rlay->rl_conf.ssl_cert_len)) == NULL)
+ return (-1);
+ useport = 0;
+ }
log_debug("%s: using certificate %s", __func__, certfile);
- if (snprintf(certfile, sizeof(certfile),
- "/etc/ssl/private/%s.key", hbuf) == -1)
- return -1;
+ if (useport) {
+ if (snprintf(certfile, sizeof(certfile),
+ "/etc/ssl/private/%s:%u.key", hbuf, useport) == -1)
+ return -1;
+ } else {
+ if (snprintf(certfile, sizeof(certfile),
+ "/etc/ssl/private/%s.key", hbuf) == -1)
+ return -1;
+ }
if ((rlay->rl_ssl_key = relay_load_file(certfile,
&rlay->rl_conf.ssl_key_len)) == NULL)
return (-1);
Index: relayd.conf.5
===================================================================
RCS file: /cvs/src/usr.sbin/relayd/relayd.conf.5,v
retrieving revision 1.125
diff -u -p -r1.125 relayd.conf.5
--- relayd.conf.5 20 Jan 2012 12:16:41 -0000 1.125
+++ relayd.conf.5 21 Mar 2012 23:18:47 -0000
@@ -632,13 +632,19 @@ If the
.Ic ssl
keyword is present, the relay will accept connections using the
encrypted SSL protocol.
-The relay will look up a private key in
-.Pa /etc/ssl/private/address.key
+The relay will attempt to look up a private key in
+.Pa /etc/ssl/private/address:port.key
and a public certificate in
-.Pa /etc/ssl/address.crt ,
+.Pa /etc/ssl/address:port.crt ,
where
.Ar address
-is the specified IP address of the relay to listen on.
+is the specified IP address and
+.Ar port
+is the specified port that the relay listens on.
+If these files are not present, the relay will continue to look in
+.Pa /etc/ssl/private/address.key
+and
+.Pa /etc/ssl/address.crt .
See
.Xr ssl 8
for details about SSL server certificates.
