From f71e4cb7a7f1e5d9e44122859d30db692e0d2187 Mon Sep 17 00:00:00 2001 From: kn Date: Sun, 29 Oct 2023 11:27:11 +0000 Subject: [PATCH] Unmention/don't explain SSL, drop 9y old "ssl" keyword/deprecation warning Switch "ssl" to "tls" in relayd.conf(5) if you haven't done so in the last ten years, "ssl" is now an error. Say "TLS" not "SSL/TLS" and drop the primer in the TLS RELAYS section. OK benno --- etc/examples/relayd.conf | 6 +++--- usr.sbin/httpd/httpd.conf.5 | 6 +++--- usr.sbin/relayd/parse.y | 24 +++++++----------------- usr.sbin/relayd/relay.c | 6 +++--- usr.sbin/relayd/relayd.conf.5 | 14 ++++++-------- 5 files changed, 22 insertions(+), 34 deletions(-) diff --git a/etc/examples/relayd.conf b/etc/examples/relayd.conf index 35280b66612..3ed437b7937 100644 --- a/etc/examples/relayd.conf +++ b/etc/examples/relayd.conf @@ -1,4 +1,4 @@ -# $OpenBSD: relayd.conf,v 1.5 2018/05/06 20:56:55 benno Exp $ +# $OpenBSD: relayd.conf,v 1.6 2023/10/29 11:27:11 kn Exp $ # # Macros # @@ -34,7 +34,7 @@ redirect www { } # -# Relay and protocol for HTTP layer 7 loadbalancing and SSL/TLS acceleration +# Relay and protocol for HTTP layer 7 loadbalancing and TLS acceleration # http protocol https { match request header append "X-Forwarded-For" value "$REMOTE_ADDR" @@ -50,7 +50,7 @@ http protocol https { } relay wwwtls { - # Run as a SSL/TLS accelerator + # Run as a TLS accelerator listen on $ext_addr port 443 tls protocol https diff --git a/usr.sbin/httpd/httpd.conf.5 b/usr.sbin/httpd/httpd.conf.5 index 90ea5e75016..ef4f5b5811f 100644 --- a/usr.sbin/httpd/httpd.conf.5 +++ b/usr.sbin/httpd/httpd.conf.5 @@ -1,4 +1,4 @@ -.\" $OpenBSD: httpd.conf.5,v 1.123 2023/08/17 07:25:57 op Exp $ +.\" $OpenBSD: httpd.conf.5,v 1.124 2023/10/29 11:27:11 kn Exp $ .\" .\" Copyright (c) 2014, 2015 Reyk Floeter .\" @@ -14,7 +14,7 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd $Mdocdate: August 17 2023 $ +.Dd $Mdocdate: October 29 2023 $ .Dt HTTPD.CONF 5 .Os .Sh NAME @@ -649,7 +649,7 @@ If not specified, the default value will be used (strong crypto cipher suites without anonymous DH). See the CIPHERS section of .Xr openssl 1 -for information about SSL/TLS cipher suites and preference lists. +for information about TLS cipher suites and preference lists. .It Ic client ca Ar cafile Oo Ic crl Ar crlfile Oc Op Ic optional Require .Po diff --git a/usr.sbin/relayd/parse.y b/usr.sbin/relayd/parse.y index a1250de51aa..a6842f97046 100644 --- a/usr.sbin/relayd/parse.y +++ b/usr.sbin/relayd/parse.y @@ -1,4 +1,4 @@ -/* $OpenBSD: parse.y,v 1.254 2023/07/03 09:38:08 claudio Exp $ */ +/* $OpenBSD: parse.y,v 1.255 2023/10/29 11:27:11 kn Exp $ */ /* * Copyright (c) 2007 - 2014 Reyk Floeter @@ -175,7 +175,7 @@ typedef struct { %token LOOKUP METHOD MODE NAT NO DESTINATION NODELAY NOTHING ON PARENT PATH %token PFTAG PORT PREFORK PRIORITY PROTO QUERYSTR REAL REDIRECT RELAY REMOVE %token REQUEST RESPONSE RETRY QUICK RETURN ROUNDROBIN ROUTE SACK SCRIPT SEND -%token SESSION SOCKET SPLICE SSL STICKYADDR STRIP STYLE TABLE TAG TAGGED TCP +%token SESSION SOCKET SPLICE STICKYADDR STRIP STYLE TABLE TAG TAGGED TCP %token TIMEOUT TLS TO ROUTER RTLABEL TRANSPARENT URL WITH TTL RTABLE %token MATCH PARAMS RANDOM LEASTSTATES SRCHASH KEY CERTIFICATE PASSWORD ECDHE %token EDH TICKETS CONNECTION CONNECTIONS CONTEXT ERRORS STATE CHANGES CHECKS @@ -227,21 +227,12 @@ include : INCLUDE STRING { } ; -ssltls : SSL { - log_warnx("%s:%d: %s", - file->name, yylval.lineno, - "please use the \"tls\" keyword" - " instead of \"ssl\""); - } - | TLS - ; - opttls : /*empty*/ { $$ = 0; } - | ssltls { $$ = 1; } + | TLS { $$ = 1; } ; opttlsclient : /*empty*/ { $$ = 0; } - | WITH ssltls { $$ = 1; } + | WITH TLS { $$ = 1; } ; http_type : HTTP { $$ = 0; } @@ -905,7 +896,7 @@ hashkey : /* empty */ { tablecheck : ICMP { table->conf.check = CHECK_ICMP; } | TCP { table->conf.check = CHECK_TCP; } - | ssltls { + | TLS { table->conf.check = CHECK_TCP; conf->sc_conf.flags |= F_TLS; table->conf.flags |= F_TLS; @@ -1114,7 +1105,7 @@ protopts_l : protopts_l protoptsl nl | protoptsl optnl ; -protoptsl : ssltls { +protoptsl : TLS { if (!(proto->type == RELAY_PROTO_TCP || proto->type == RELAY_PROTO_HTTP)) { yyerror("can set tls options only for " @@ -1122,7 +1113,7 @@ protoptsl : ssltls { YYERROR; } } tlsflags - | ssltls { + | TLS { if (!(proto->type == RELAY_PROTO_TCP || proto->type == RELAY_PROTO_HTTP)) { yyerror("can set tls options only for " @@ -2492,7 +2483,6 @@ lookup(char *s) { "socket", SOCKET }, { "source-hash", SRCHASH }, { "splice", SPLICE }, - { "ssl", SSL }, { "state", STATE }, { "sticky-address", STICKYADDR }, { "strip", STRIP }, diff --git a/usr.sbin/relayd/relay.c b/usr.sbin/relayd/relay.c index 80d27419c83..5d3f38c5bd5 100644 --- a/usr.sbin/relayd/relay.c +++ b/usr.sbin/relayd/relay.c @@ -1,4 +1,4 @@ -/* $OpenBSD: relay.c,v 1.257 2023/09/03 10:22:03 nicm Exp $ */ +/* $OpenBSD: relay.c,v 1.258 2023/10/29 11:27:11 kn Exp $ */ /* * Copyright (c) 2006 - 2014 Reyk Floeter @@ -2064,7 +2064,7 @@ relay_tls_ctx_create_proto(struct protocol *proto, struct tls_config *tls_cfg) { uint32_t protocols = 0; - /* Set the allowed SSL protocols */ + /* Set the allowed TLS protocols */ if (proto->tlsflags & TLSFLAG_TLSV1_2) protocols |= TLS_PROTOCOL_TLSv1_2; if (proto->tlsflags & TLSFLAG_TLSV1_3) @@ -2186,7 +2186,7 @@ relay_tls_ctx_create(struct relay *rlay) /* * Use the public key as the "private" key - the secret key * parameters are hidden in an extra process that will be - * contacted by the RSA engine. The SSL/TLS library needs at + * contacted by the RSA engine. The TLS library needs at * least the public key parameters in the current process. */ tls_config_use_fake_private_key(tls_cfg); diff --git a/usr.sbin/relayd/relayd.conf.5 b/usr.sbin/relayd/relayd.conf.5 index 679da2e1322..21f3101386a 100644 --- a/usr.sbin/relayd/relayd.conf.5 +++ b/usr.sbin/relayd/relayd.conf.5 @@ -1,4 +1,4 @@ -.\" $OpenBSD: relayd.conf.5,v 1.206 2023/06/06 15:16:52 beck Exp $ +.\" $OpenBSD: relayd.conf.5,v 1.207 2023/10/29 11:27:11 kn Exp $ .\" .\" Copyright (c) 2006 - 2016 Reyk Floeter .\" Copyright (c) 2006, 2007 Pierre-Yves Ritschard @@ -15,7 +15,7 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd $Mdocdate: June 6 2023 $ +.Dd $Mdocdate: October 29 2023 $ .Dt RELAYD.CONF 5 .Os .Sh NAME @@ -728,8 +728,6 @@ In addition to plain TCP, .Xr relayd 8 supports the Transport Layer Security (TLS) cryptographic protocol for authenticated and encrypted relays. -TLS is the successor of the original Secure Sockets Layer (SSL) protocol, -but the term SSL is sometimes still used in modern TLS-based applications. .Xr relayd 8 can operate as a TLS client or server to offer a variety of options for different use cases related to TLS. @@ -758,7 +756,7 @@ statements, .Xr relayd 8 will accept connections from clients as a TLS server. This mode is also known as -.Dq SSL/TLS acceleration . +.Dq TLS acceleration . See the .Ic listen on description in the @@ -947,7 +945,7 @@ If not specified, the default value will be used (strong crypto cipher suites without anonymous DH). See the CIPHERS section of .Xr openssl 1 -for information about SSL/TLS cipher suites and preference lists. +for information about TLS cipher suites and preference lists. .It Ic client-renegotiation Allow client-initiated renegotiation. To mitigate a potential DoS risk, @@ -994,7 +992,7 @@ a keypair will be loaded using the specified IP address of the relay as .Ar name . See .Xr ssl 8 -for details about SSL/TLS server certificates. +for details about TLS server certificates. .Pp An optional OCSP staple file will be used during TLS handshakes with this server if it is found as a non-empty file in @@ -1621,7 +1619,7 @@ http protocol httpfilter { match label "Prohibited!" block url "social.network.example.com/" - # New configuration directives for SSL/TLS Interception + # New configuration directives for TLS Interception tls ca key "/etc/ssl/private/ca.key" password "password123" tls ca cert "/etc/ssl/ca.crt" } -- 2.20.1