Klemens Nanni(k...@openbsd.org) on 2023.10.26 13:28:42 +0000: > On Tue, Oct 24, 2023 at 09:09:21AM +0200, Peter N. M. Hansteen wrote: > > On Tue, Oct 24, 2023 at 06:54:30AM +0000, Klemens Nanni wrote: > > > - parse.y still accepting undocumented "ssl" with a warning since 2014 > > > - more "SSL/TLS" instead of "TLS" in manual and code comments > > > > my take would be that while it's fine to streamline the documentation to use > > the modern terminology, I suspect there may still be ancient configurations > > out there that use the "ssl" keyword, so removing the last bit of support > > for > > that option should be accompanied by or preceded by a warning on relevant > > mailing lists or at least in the commit message. > > > > And I think undeadly.org would be more than happy to help spread the word :) > > current.html entry should do for a deprecated keyword we've been warning > about for almost ten years...
Yes, please kick it where it belongs. > I've checked faq/upgrade*.html for previous > notes, but couldn't find any. no, because it wasnt removed after 2 releases with the warning. > Here's a first try, relayd regress is also happy. ok benno@ > Index: usr.sbin/relayd/parse.y > =================================================================== > RCS file: /cvs/src/usr.sbin/relayd/parse.y,v > retrieving revision 1.254 > diff -u -p -r1.254 parse.y > --- usr.sbin/relayd/parse.y 3 Jul 2023 09:38:08 -0000 1.254 > +++ usr.sbin/relayd/parse.y 26 Oct 2023 06:07:08 -0000 > @@ -175,7 +175,7 @@ typedef struct { > %token LOOKUP METHOD MODE NAT NO DESTINATION NODELAY NOTHING ON PARENT > PATH > %token PFTAG PORT PREFORK PRIORITY PROTO QUERYSTR REAL REDIRECT RELAY > REMOVE > %token REQUEST RESPONSE RETRY QUICK RETURN ROUNDROBIN ROUTE SACK > SCRIPT SEND > -%token SESSION SOCKET SPLICE SSL STICKYADDR STRIP STYLE TABLE TAG > TAGGED TCP > +%token SESSION SOCKET SPLICE STICKYADDR STRIP STYLE TABLE TAG TAGGED > TCP > %token TIMEOUT TLS TO ROUTER RTLABEL TRANSPARENT URL WITH TTL RTABLE > %token MATCH PARAMS RANDOM LEASTSTATES SRCHASH KEY CERTIFICATE > PASSWORD ECDHE > %token EDH TICKETS CONNECTION CONNECTIONS CONTEXT ERRORS STATE CHANGES > CHECKS > @@ -227,21 +227,12 @@ include : INCLUDE STRING { > } > ; > > -ssltls : SSL { > - log_warnx("%s:%d: %s", > - file->name, yylval.lineno, > - "please use the \"tls\" keyword" > - " instead of \"ssl\""); > - } > - | TLS > - ; > - > opttls : /*empty*/ { $$ = 0; } > - | ssltls { $$ = 1; } > + | TLS { $$ = 1; } > ; > > opttlsclient : /*empty*/ { $$ = 0; } > - | WITH ssltls { $$ = 1; } > + | WITH TLS { $$ = 1; } > ; > > http_type : HTTP { $$ = 0; } > @@ -905,7 +896,7 @@ hashkey : /* empty */ { > > tablecheck : ICMP { table->conf.check = CHECK_ICMP; } > | TCP { table->conf.check = CHECK_TCP; } > - | ssltls { > + | TLS { > table->conf.check = CHECK_TCP; > conf->sc_conf.flags |= F_TLS; > table->conf.flags |= F_TLS; > @@ -1114,7 +1105,7 @@ protopts_l : protopts_l protoptsl nl > | protoptsl optnl > ; > > -protoptsl : ssltls { > +protoptsl : TLS { > if (!(proto->type == RELAY_PROTO_TCP || > proto->type == RELAY_PROTO_HTTP)) { > yyerror("can set tls options only for " > @@ -1122,7 +1113,7 @@ protoptsl : ssltls { > YYERROR; > } > } tlsflags > - | ssltls { > + | TLS { > if (!(proto->type == RELAY_PROTO_TCP || > proto->type == RELAY_PROTO_HTTP)) { > yyerror("can set tls options only for " > @@ -2492,7 +2483,6 @@ lookup(char *s) > { "socket", SOCKET }, > { "source-hash", SRCHASH }, > { "splice", SPLICE }, > - { "ssl", SSL }, > { "state", STATE }, > { "sticky-address", STICKYADDR }, > { "strip", STRIP }, > Index: usr.sbin/relayd/relay.c > =================================================================== > RCS file: /cvs/src/usr.sbin/relayd/relay.c,v > retrieving revision 1.257 > diff -u -p -r1.257 relay.c > --- usr.sbin/relayd/relay.c 3 Sep 2023 10:22:03 -0000 1.257 > +++ usr.sbin/relayd/relay.c 26 Oct 2023 05:49:22 -0000 > @@ -2064,7 +2064,7 @@ relay_tls_ctx_create_proto(struct protoc > { > uint32_t protocols = 0; > > - /* Set the allowed SSL protocols */ > + /* Set the allowed TLS protocols */ > if (proto->tlsflags & TLSFLAG_TLSV1_2) > protocols |= TLS_PROTOCOL_TLSv1_2; > if (proto->tlsflags & TLSFLAG_TLSV1_3) > @@ -2186,7 +2186,7 @@ relay_tls_ctx_create(struct relay *rlay) > /* > * Use the public key as the "private" key - the secret key > * parameters are hidden in an extra process that will be > - * contacted by the RSA engine. The SSL/TLS library needs at > + * contacted by the RSA engine. The TLS library needs at > * least the public key parameters in the current process. > */ > tls_config_use_fake_private_key(tls_cfg); > Index: usr.sbin/relayd/relayd.conf.5 > =================================================================== > RCS file: /cvs/src/usr.sbin/relayd/relayd.conf.5,v > retrieving revision 1.206 > diff -u -p -r1.206 relayd.conf.5 > --- usr.sbin/relayd/relayd.conf.5 6 Jun 2023 15:16:52 -0000 1.206 > +++ usr.sbin/relayd/relayd.conf.5 26 Oct 2023 06:18:10 -0000 > @@ -728,8 +728,6 @@ In addition to plain TCP, > .Xr relayd 8 > supports the Transport Layer Security (TLS) cryptographic protocol for > authenticated and encrypted relays. > -TLS is the successor of the original Secure Sockets Layer (SSL) protocol, > -but the term SSL is sometimes still used in modern TLS-based applications. > .Xr relayd 8 > can operate as a TLS client or server to offer a variety of options > for different use cases related to TLS. > @@ -758,7 +756,7 @@ statements, > .Xr relayd 8 > will accept connections from clients as a TLS server. > This mode is also known as > -.Dq SSL/TLS acceleration . > +.Dq TLS acceleration . > See the > .Ic listen on > description in the > @@ -947,7 +945,7 @@ If not specified, the default value > will be used (strong crypto cipher suites without anonymous DH). > See the CIPHERS section of > .Xr openssl 1 > -for information about SSL/TLS cipher suites and preference lists. > +for information about TLS cipher suites and preference lists. > .It Ic client-renegotiation > Allow client-initiated renegotiation. > To mitigate a potential DoS risk, > @@ -994,7 +992,7 @@ a keypair will be loaded using the speci > .Ar name . > See > .Xr ssl 8 > -for details about SSL/TLS server certificates. > +for details about TLS server certificates. > .Pp > An optional OCSP staple file will be used during TLS handshakes with > this server if it is found as a non-empty file in > @@ -1621,7 +1619,7 @@ http protocol httpfilter { > match label "Prohibited!" > block url "social.network.example.com/" > > - # New configuration directives for SSL/TLS Interception > + # New configuration directives for TLS Interception > tls ca key "/etc/ssl/private/ca.key" password "password123" > tls ca cert "/etc/ssl/ca.crt" > } > Index: usr.sbin/httpd/httpd.conf.5 > =================================================================== > RCS file: /cvs/src/usr.sbin/httpd/httpd.conf.5,v > retrieving revision 1.123 > diff -u -p -r1.123 httpd.conf.5 > --- usr.sbin/httpd/httpd.conf.5 17 Aug 2023 07:25:57 -0000 1.123 > +++ usr.sbin/httpd/httpd.conf.5 26 Oct 2023 06:18:27 -0000 > @@ -649,7 +649,7 @@ If not specified, the default value > will be used (strong crypto cipher suites without anonymous DH). > See the CIPHERS section of > .Xr openssl 1 > -for information about SSL/TLS cipher suites and preference lists. > +for information about TLS cipher suites and preference lists. > .It Ic client ca Ar cafile Oo Ic crl Ar crlfile Oc Op Ic optional > Require > .Po > Index: etc/examples//relayd.conf > =================================================================== > RCS file: /cvs/src/etc/examples/relayd.conf,v > retrieving revision 1.5 > diff -u -p -r1.5 relayd.conf > --- etc/examples//relayd.conf 6 May 2018 20:56:55 -0000 1.5 > +++ etc/examples//relayd.conf 26 Oct 2023 05:47:17 -0000 > @@ -34,7 +34,7 @@ redirect www { > } > > # > -# Relay and protocol for HTTP layer 7 loadbalancing and SSL/TLS acceleration > +# Relay and protocol for HTTP layer 7 loadbalancing and TLS acceleration > # > http protocol https { > match request header append "X-Forwarded-For" value "$REMOTE_ADDR" > @@ -50,7 +50,7 @@ http protocol https { > } > > relay wwwtls { > - # Run as a SSL/TLS accelerator > + # Run as a TLS accelerator > listen on $ext_addr port 443 tls > protocol https > >