Hi! I have planned to do it myself for quite long time but never got around doing it. In my testing it works great.
I have patch on top of this which allows to pass remote certificate and/or parts of it to backend hosts via http headers. Rivo On Thu, 2018-12-06 at 05:17 +0000, Ashe Connor wrote: > It's been a week or so, so bumping. (Benno was kind enough to offer > a > review but was time-poor recently.) > > Here's a diff for the manpage too. > > Ashe > > > Index: usr.sbin/relayd/relayd.conf.5 > =================================================================== > RCS file: > /home/kivikakk/cvsync/root/src/usr.sbin/relayd/relayd.conf.5,v > retrieving revision 1.187 > retrieving revision 1.187.6.1 > diff -u -p -r1.187 -r1.187.6.1 > --- usr.sbin/relayd/relayd.conf.5 6 Aug 2018 18:26:29 -0000 1.187 > +++ usr.sbin/relayd/relayd.conf.5 30 Nov 2018 21:10:06 -0000 > 1.187.6.1 > @@ -939,6 +939,10 @@ will be used (strong crypto cipher suite > See the CIPHERS section of > .Xr openssl 1 > for information about SSL/TLS cipher suites and preference lists. > +.It Ic client ca Ar path > +Require TLS client certificates whose authenticity can be verified > +against the CA certificate(s) in the specified file in order to > +proceed beyond the TLS handshake. > .It Ic client-renegotiation > Allow client-initiated renegotiation. > To mitigate a potential DoS risk, >
