-# $OpenBSD: relayd.conf,v 1.5 2018/05/06 20:56:55 benno Exp $
+# $OpenBSD: relayd.conf,v 1.6 2023/10/29 11:27:11 kn Exp $
#
# Macros
#
}
#
-# Relay and protocol for HTTP layer 7 loadbalancing and SSL/TLS acceleration
+# Relay and protocol for HTTP layer 7 loadbalancing and TLS acceleration
#
http protocol https {
match request header append "X-Forwarded-For" value "$REMOTE_ADDR"
}
relay wwwtls {
- # Run as a SSL/TLS accelerator
+ # Run as a TLS accelerator
listen on $ext_addr port 443 tls
protocol https
-.\" $OpenBSD: httpd.conf.5,v 1.123 2023/08/17 07:25:57 op Exp $
+.\" $OpenBSD: httpd.conf.5,v 1.124 2023/10/29 11:27:11 kn Exp $
.\"
.\" Copyright (c) 2014, 2015 Reyk Floeter <reyk@openbsd.org>
.\"
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\"
-.Dd $Mdocdate: August 17 2023 $
+.Dd $Mdocdate: October 29 2023 $
.Dt HTTPD.CONF 5
.Os
.Sh NAME
will be used (strong crypto cipher suites without anonymous DH).
See the CIPHERS section of
.Xr openssl 1
-for information about SSL/TLS cipher suites and preference lists.
+for information about TLS cipher suites and preference lists.
.It Ic client ca Ar cafile Oo Ic crl Ar crlfile Oc Op Ic optional
Require
.Po
-/* $OpenBSD: parse.y,v 1.254 2023/07/03 09:38:08 claudio Exp $ */
+/* $OpenBSD: parse.y,v 1.255 2023/10/29 11:27:11 kn Exp $ */
/*
* Copyright (c) 2007 - 2014 Reyk Floeter <reyk@openbsd.org>
%token LOOKUP METHOD MODE NAT NO DESTINATION NODELAY NOTHING ON PARENT PATH
%token PFTAG PORT PREFORK PRIORITY PROTO QUERYSTR REAL REDIRECT RELAY REMOVE
%token REQUEST RESPONSE RETRY QUICK RETURN ROUNDROBIN ROUTE SACK SCRIPT SEND
-%token SESSION SOCKET SPLICE SSL STICKYADDR STRIP STYLE TABLE TAG TAGGED TCP
+%token SESSION SOCKET SPLICE STICKYADDR STRIP STYLE TABLE TAG TAGGED TCP
%token TIMEOUT TLS TO ROUTER RTLABEL TRANSPARENT URL WITH TTL RTABLE
%token MATCH PARAMS RANDOM LEASTSTATES SRCHASH KEY CERTIFICATE PASSWORD ECDHE
%token EDH TICKETS CONNECTION CONNECTIONS CONTEXT ERRORS STATE CHANGES CHECKS
}
;
-ssltls : SSL {
- log_warnx("%s:%d: %s",
- file->name, yylval.lineno,
- "please use the \"tls\" keyword"
- " instead of \"ssl\"");
- }
- | TLS
- ;
-
opttls : /*empty*/ { $$ = 0; }
- | ssltls { $$ = 1; }
+ | TLS { $$ = 1; }
;
opttlsclient : /*empty*/ { $$ = 0; }
- | WITH ssltls { $$ = 1; }
+ | WITH TLS { $$ = 1; }
;
http_type : HTTP { $$ = 0; }
tablecheck : ICMP { table->conf.check = CHECK_ICMP; }
| TCP { table->conf.check = CHECK_TCP; }
- | ssltls {
+ | TLS {
table->conf.check = CHECK_TCP;
conf->sc_conf.flags |= F_TLS;
table->conf.flags |= F_TLS;
| protoptsl optnl
;
-protoptsl : ssltls {
+protoptsl : TLS {
if (!(proto->type == RELAY_PROTO_TCP ||
proto->type == RELAY_PROTO_HTTP)) {
yyerror("can set tls options only for "
YYERROR;
}
} tlsflags
- | ssltls {
+ | TLS {
if (!(proto->type == RELAY_PROTO_TCP ||
proto->type == RELAY_PROTO_HTTP)) {
yyerror("can set tls options only for "
{ "socket", SOCKET },
{ "source-hash", SRCHASH },
{ "splice", SPLICE },
- { "ssl", SSL },
{ "state", STATE },
{ "sticky-address", STICKYADDR },
{ "strip", STRIP },
-/* $OpenBSD: relay.c,v 1.257 2023/09/03 10:22:03 nicm Exp $ */
+/* $OpenBSD: relay.c,v 1.258 2023/10/29 11:27:11 kn Exp $ */
/*
* Copyright (c) 2006 - 2014 Reyk Floeter <reyk@openbsd.org>
{
uint32_t protocols = 0;
- /* Set the allowed SSL protocols */
+ /* Set the allowed TLS protocols */
if (proto->tlsflags & TLSFLAG_TLSV1_2)
protocols |= TLS_PROTOCOL_TLSv1_2;
if (proto->tlsflags & TLSFLAG_TLSV1_3)
/*
* Use the public key as the "private" key - the secret key
* parameters are hidden in an extra process that will be
- * contacted by the RSA engine. The SSL/TLS library needs at
+ * contacted by the RSA engine. The TLS library needs at
* least the public key parameters in the current process.
*/
tls_config_use_fake_private_key(tls_cfg);
-.\" $OpenBSD: relayd.conf.5,v 1.206 2023/06/06 15:16:52 beck Exp $
+.\" $OpenBSD: relayd.conf.5,v 1.207 2023/10/29 11:27:11 kn Exp $
.\"
.\" Copyright (c) 2006 - 2016 Reyk Floeter <reyk@openbsd.org>
.\" Copyright (c) 2006, 2007 Pierre-Yves Ritschard <pyr@openbsd.org>
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\"
-.Dd $Mdocdate: June 6 2023 $
+.Dd $Mdocdate: October 29 2023 $
.Dt RELAYD.CONF 5
.Os
.Sh NAME
.Xr relayd 8
supports the Transport Layer Security (TLS) cryptographic protocol for
authenticated and encrypted relays.
-TLS is the successor of the original Secure Sockets Layer (SSL) protocol,
-but the term SSL is sometimes still used in modern TLS-based applications.
.Xr relayd 8
can operate as a TLS client or server to offer a variety of options
for different use cases related to TLS.
.Xr relayd 8
will accept connections from clients as a TLS server.
This mode is also known as
-.Dq SSL/TLS acceleration .
+.Dq TLS acceleration .
See the
.Ic listen on
description in the
will be used (strong crypto cipher suites without anonymous DH).
See the CIPHERS section of
.Xr openssl 1
-for information about SSL/TLS cipher suites and preference lists.
+for information about TLS cipher suites and preference lists.
.It Ic client-renegotiation
Allow client-initiated renegotiation.
To mitigate a potential DoS risk,
.Ar name .
See
.Xr ssl 8
-for details about SSL/TLS server certificates.
+for details about TLS server certificates.
.Pp
An optional OCSP staple file will be used during TLS handshakes with
this server if it is found as a non-empty file in
match label "Prohibited!"
block url "social.network.example.com/"
- # New configuration directives for SSL/TLS Interception
+ # New configuration directives for TLS Interception
tls ca key "/etc/ssl/private/ca.key" password "password123"
tls ca cert "/etc/ssl/ca.crt"
}
projects / openbsd / commitdiff