Hi folks, It *appears* that relayd doesn't speak SNI when used as a transparent intercepting proxy ala http://www.reykfloeter.com/post/41814177050/relayd-ssl-interception
What did & what I saw: Set up the proxy as per Reyk's article. Configs below. Running today's amd64 snapshot on vmware. # uname -a OpenBSD r2.mwlucas.org 6.0 GENERIC#204 amd64 Call up wapo.st from a client with my private CA installed. There's a cert error. The site identifies itself as bit.ly. https://bit.ly works fine. Hit my blog, https://blather.michaelwlucas.com. Works fine. Call up any of my other TLS sites on that IP: https://mwl.io, https://michaelwlucas.com, https://michaelwarrenlucas.com, https://tiltedwindmillpress.com. All get identified as blather. System setup: # openssl req -x509 -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/ca.key -out /etc/ssl/ca.crt # openssl req -nodes -x509 -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/127.0.0.1:8443.key -out /etc/ssl/127.0.0.1:8443.crt relayd.conf: -- log all http protocol "intercept" { tls ca cert "/etc/ssl/ca.crt" tls ca key "/etc/ssl/private/ca.key" password "komodia" pass url log } http protocol "wtf" { return error } relay "tlsintercept" { listen on 127.0.0.1 port 8443 tls protocol intercept forward with tls to destination } relay "proxy" { listen on 127.0.0.1 port 8080 protocol wtf forward to destination } -- Am I screwing up here? Or is it a real bug? Thanks, ==ml -- Michael W. Lucas Twitter @mwlauthor nonfiction: https://www.michaelwlucas.com/ fiction: https://www.michaelwarrenlucas.com/ blog: http://blather.michaelwlucas.com/
