Hi all, I was trying to score 100 on all the tests over at ssllabs.com, but seem to only reach 90 on "Key Exchange". Not sure if it's related, but I was playing with the "dhe" option in relayd.conf(5) in order to increase the number of bits used for the ephemeral key. No matter how I specified the option, nothing really changed and I started reading the code in order to understand what the option actually do. I might be completely wrong, but from my understanding, it feeds the params of "dhe" as the second argument to tls_config_set_dheparams(), which expects "none", "legacy" or "auto".
My guess is that tls_config_set_dheparams() has been updated and the manual for relayd.conf(5) has not. Here's a diff that hopefully solves that. Jesper Wallin Index: relayd.conf.5 =================================================================== RCS file: /cvs/src/usr.sbin/relayd/relayd.conf.5,v retrieving revision 1.195 diff -u -p -r1.195 relayd.conf.5 --- relayd.conf.5 23 Apr 2020 21:28:10 -0000 1.195 +++ relayd.conf.5 1 May 2020 09:58:27 -0000 @@ -960,17 +960,13 @@ suites, in order of preference. The special value of "default" will use the default curves; see .Xr tls_config_set_ecdhecurves 3 for further details. -.It Ic edh Op Ic params Ar maximum +.It Ic edh Op Ar mode Enable EDH-based cipher suites with Perfect Forward Secrecy (PFS) for older clients that do not support ECDHE. -If the -.Ar maximum -length of the DH params for EDH is not specified, the default value of -1024 bits will be used. -Other possible values are numbers between 1024 and 8192, including -1024, 1536, 2048, 4096, or 8192. -Values higher than 1024 bits can cause incompatibilities with older -TLS clients. +Possible values are "none", "auto" and "legacy". +In "auto" mode, the key size for the ephemeral key is automatically selected +based on the size of the private key being used for signing. +In "legacy" mode, 1024 bit ephemeral keys are used. The default is .Ic no edh . .It Ic keypair Ar name
