[moved to t...@]
In gmane.os.openbsd.misc, Bryan Irvine wrote:
> On Tue, May 11, 2010 at 5:05 PM, Keith <[email protected]> wrote:
>> Hi. is it possible to get multiple http relayd relays listening on localhost
>> each with a different port # and each with a different ssl certificate ?
>
[...]
>
> I can't think of a situation where what you describe doesn't sound
> wacky. Maybe I misunderstand the intentions, can you link the
> 'tutorial'?
>
> Also, to do more than 1 SSL site you will just need to add another IP
> that coresponds with the cert. Maybe 'ifconfig lo1 127.0.0.2' is
> enough?
Assigning new addresses just for this seems like an almighty hack.
And besides, what if you want to do this directly on an external address?
This diff seems to work... (note that the log_debug()s which print
the filename in this function aren't actually displayed or logged,
it's too early in the startup, but by changing them to log_info you
can see the filenames; that's not included in this diff as it spams
the console).
Index: relay.c
===================================================================
RCS file: /cvs/src/usr.sbin/relayd/relay.c,v
retrieving revision 1.119
diff -u -p -r1.119 relay.c
--- relay.c 18 Feb 2010 16:33:25 -0000 1.119
+++ relay.c 15 May 2010 12:25:04 -0000
@@ -3151,6 +3151,7 @@ int
relay_load_certfiles(struct relay *rlay)
{
struct protocol *proto = rlay->rl_proto;
+ int useport = htons(rlay->rl_conf.port);
char certfile[PATH_MAX];
char hbuf[sizeof("ffff:ffff:ffff:ffff:ffff:ffff:255.255.255.255")];
@@ -3168,16 +3169,30 @@ relay_load_certfiles(struct relay *rlay)
return (-1);
if (snprintf(certfile, sizeof(certfile),
- "/etc/ssl/%s.crt", hbuf) == -1)
+ "/etc/ssl/%s:%u.crt", hbuf, useport) == -1)
return (-1);
if ((rlay->rl_ssl_cert = relay_load_file(certfile,
- &rlay->rl_ssl_cert_len)) == NULL)
- return (-1);
+ &rlay->rl_ssl_cert_len)) == NULL) {
+ if (snprintf(certfile, sizeof(certfile),
+ "/etc/ssl/%s.crt", hbuf) == -1)
+ return (-1);
+ if ((rlay->rl_ssl_cert = relay_load_file(certfile,
+ &rlay->rl_ssl_cert_len)) == NULL)
+ return (-1);
+ useport = 0;
+ }
+
log_debug("relay_load_certfiles: using certificate %s", certfile);
- if (snprintf(certfile, sizeof(certfile),
- "/etc/ssl/private/%s.key", hbuf) == -1)
- return -1;
+ if (useport) {
+ if (snprintf(certfile, sizeof(certfile),
+ "/etc/ssl/private/%s:%u.key", hbuf, useport) == -1)
+ return -1;
+ } else {
+ if (snprintf(certfile, sizeof(certfile),
+ "/etc/ssl/private/%s.key", hbuf) == -1)
+ return -1;
+ }
if ((rlay->rl_ssl_key = relay_load_file(certfile,
&rlay->rl_ssl_key_len)) == NULL)
return (-1);
Index: relayd.conf.5
===================================================================
RCS file: /cvs/src/usr.sbin/relayd/relayd.conf.5,v
retrieving revision 1.112
diff -u -p -r1.112 relayd.conf.5
--- relayd.conf.5 1 Sep 2009 13:43:36 -0000 1.112
+++ relayd.conf.5 15 May 2010 12:25:04 -0000
@@ -611,13 +611,19 @@ If the
.Ic ssl
keyword is present, the relay will accept connections using the
encrypted SSL protocol.
-The relay will look up a private key in
-.Pa /etc/ssl/private/address.key
+The relay will attempt to look up a private key in
+.Pa /etc/ssl/private/address:port.key
and a public certificate in
-.Pa /etc/ssl/address.crt ,
+.Pa /etc/ssl/address:port.crt ,
where
.Ar address
-is the specified IP address of the relay to listen on.
+is the specified IP address and
+.Ar port
+is the specified port that the relay listens on.
+If these files are not present, the relay will continue to look in
+.Pa /etc/ssl/private/address.key
+and
+.Pa /etc/ssl/address.crt .
See
.Xr ssl 8
for details about SSL server certificates.
