Re: relayd, ipv6, and tls keypair names

Sat, 27 Feb 2021 00:25:27 -0800 

PS: I am running OpenBSD 6.8 stable on amd64.

On Sat, Feb 27, 2021 at 03:48:04PM +0800, [email protected] wrote:
> I was trying to configure relayd for TLS acceleration when I noticed an 
> unusual
> error.
> 
> Here is my /etc/relayd.conf (with actual IPs and domains replaced):
> 
> ip4="192.0.2.1"
> ip6="2001:db8::"
> table <www> { 127.0.0.1 }
> table <bnc> { 127.0.0.1 }
> 
> log connection
> 
> http protocol https {
>         match request header append "X-Forwarded-For" value "$REMOTE_ADDR"
>         match request header append "X-Forwarded-By" \
>             value "$SERVER_ADDR:$SERVER_PORT"
>         match request header set "Connection" value "close"
> 
>         # Various TCP options
>         tcp { sack, backlog 128 }
> 
>         tls { keypair example.com }
>         match request header "Host" value "www.example.com" forward to <www>
> }
> 
> relay wwwtls {
>         listen on $ip4 port 443 tls
>         listen on $ip6 port 443 tls
>         protocol https
>         forward to <www> port 8001 check icmp
> }
> 
> I set up symlinks for the SSL certs as follows:
> 
> $ doas ln -s /etc/ssl/example.com.fullchain.pem /etc/ssl/example.com:443.crt
> $ doas ln -s /etc/ssl/private/example.com.key 
> /etc/ssl/private/example.com:443.key
> 
> I then start relayd:
> 
> $ doas relayd -dvv
> 
> and get the following errors:
> 
> relay_load_certfiles: using certificate /etc/ssl/example.com:443.crt
> relay_load_certfiles: using private key /etc/ssl/private/example.com:443.key
> /etc/relayd.conf:26: cannot load certificates for relay wwwtls2:443
> 
> I discovered that if I comment out the below line, line 23, relayd works:
> 
> listen on $ip6 port 443 tls
> 
> So if I uncomment out the IPv6 listener, relayd works just fine.
> 
> If I include the IPv6 listener but create symlinks with IPv6 addresses like 
> follows:
> 
> $ doas ln -s /etc/ssl/example.com.fullchain.pem /etc/ssl/2001:db8:::443.crt
> $ doas ln -s /etc/ssl/private/example.com.key 
> /etc/ssl/private/2001:db8:::443.key
> 
> Then it seems relayd also works. So I suspect relayd is ignoring
> the tls keypair directive for IPv6 addresses. In other words, when IPv6 is 
> enabled,
> relayd appears to ignore:
> 
> tls { keypair example.com }
> 
> Can someone verify if this is correct behavior, if I misconfigured, or
> if this is a bug?
> 
> jrmu

Reply via email to