From 3cf4eea4fe1dee15885a9113707cd3e31e83afda Mon Sep 17 00:00:00 2001 From: beck Date: Tue, 6 Jun 2023 15:16:52 +0000 Subject: [PATCH] Make the tlsv1.0 and tlsv1.1 options in relayd do nothing Also document that fact, and that the existing ssl3 option does nothing. This changes relayd to no longer request tls1.0 or tls1.1 in preparation for the upcoming deprecation of these out of data protocols ok jsing@ bluhm@ tb@ claudio@ benno@ --- usr.sbin/relayd/relay.c | 6 +----- usr.sbin/relayd/relayd.conf.5 | 20 ++++++-------------- 2 files changed, 7 insertions(+), 19 deletions(-) diff --git a/usr.sbin/relayd/relay.c b/usr.sbin/relayd/relay.c index 7491570445d..3341baad659 100644 --- a/usr.sbin/relayd/relay.c +++ b/usr.sbin/relayd/relay.c @@ -1,4 +1,4 @@ -/* $OpenBSD: relay.c,v 1.255 2022/12/28 21:30:18 jmc Exp $ */ +/* $OpenBSD: relay.c,v 1.256 2023/06/06 15:16:52 beck Exp $ */ /* * Copyright (c) 2006 - 2014 Reyk Floeter @@ -2065,10 +2065,6 @@ relay_tls_ctx_create_proto(struct protocol *proto, struct tls_config *tls_cfg) uint32_t protocols = 0; /* Set the allowed SSL protocols */ - if (proto->tlsflags & TLSFLAG_TLSV1_0) - protocols |= TLS_PROTOCOL_TLSv1_0; - if (proto->tlsflags & TLSFLAG_TLSV1_1) - protocols |= TLS_PROTOCOL_TLSv1_1; if (proto->tlsflags & TLSFLAG_TLSV1_2) protocols |= TLS_PROTOCOL_TLSv1_2; if (proto->tlsflags & TLSFLAG_TLSV1_3) diff --git a/usr.sbin/relayd/relayd.conf.5 b/usr.sbin/relayd/relayd.conf.5 index 90ee6995fd5..679da2e1322 100644 --- a/usr.sbin/relayd/relayd.conf.5 +++ b/usr.sbin/relayd/relayd.conf.5 @@ -1,4 +1,4 @@ -.\" $OpenBSD: relayd.conf.5,v 1.205 2022/03/31 17:27:31 naddy Exp $ +.\" $OpenBSD: relayd.conf.5,v 1.206 2023/06/06 15:16:52 beck Exp $ .\" .\" Copyright (c) 2006 - 2016 Reyk Floeter .\" Copyright (c) 2006, 2007 Pierre-Yves Ritschard @@ -15,7 +15,7 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd $Mdocdate: March 31 2022 $ +.Dd $Mdocdate: June 6 2023 $ .Dt RELAYD.CONF 5 .Os .Sh NAME @@ -1021,27 +1021,19 @@ The default is to enable TLSv1.3. Disable the TLSv1.2 protocol. The default is to enable TLSv1.2. .It Ic sslv3 -Enable the SSLv3 protocol. -The default is -.Ic no sslv3 . +Is deprecated and does nothing. .It Ic tlsv1 Enable all TLSv1 protocols. -This is an alias that includes -.Ic tlsv1.0 , -.Ic tlsv1.1 , +This is an alias that currently includes .Ic tlsv1.2 , and .Ic tlsv1.3 . The default is .Ic no tlsv1 . .It Ic tlsv1.0 -Enable the TLSv1.0 protocol. -The default is -.Ic no tlsv1.0 . +Is deprecated and does nothing. .It Ic tlsv1.1 -Enable the TLSv1.1 protocol. -The default is -.Ic no tlsv1.1 . +Is deprecated and does nothing. .El .It Ic http Ar option Set the HTTP options and session settings. -- 2.20.1