This feature has been requested many times over the years. Various patches
were provided by Asherah Connor, Rivo Nurges, Markus Läll and maybe others.
These patches always stalled for various reasons.
From Sören Tempel, mostly based on Asherah's latest patch.
ok florian tb
As usual proc_forward_imsg() is never forwarding a file descriptor so
just use -1 there. This should be replaced by imsg_forward().
All other changes are simple conversions.
OK tb@
Switch "ssl" to "tls" in relayd.conf(5) if you haven't done so in the last
ten years, "ssl" is now an error.
Say "TLS" not "SSL/TLS" and drop the primer in the TLS RELAYS section.
OK benno
Also document that fact, and that the existing ssl3 option
does nothing. This changes relayd to no longer request tls1.0
or tls1.1 in preparation for the upcoming deprecation of these
out of data protocols
ok jsing@ bluhm@ tb@ claudio@ benno@
This matches the documented behaviour.
On matching "forward to <table>" filter rules the "forward to destination"
address is unset, so that in that case the "forward to <table>" rule is still
used.
OK benno@, regression tests still passing.
value < 0. errno is only updated in this case. Change all (most?)
callers of syscalls to follow this better, and let's see if this strictness
helps us in the future.
Pass the *env as an explicit argument instead of using the global
pointer: The relay_load_certfiles() function is called early before
the *env is set up. This does not change anything in the current code
as *env is not used by anything in the function (not even
ssl_load_key() that is taking it as an argument) but it will be needed
by upcoming changes for SNI.
Ok rob@
- Don't expect the Connection header to equal Upgrade, it may include Upgrade
- Reshuffle the code to check the Upgrade/Connection headers in one place
Reported and tested by Rivo Nurges
OK and input from benno@
Cvs: ----------------------------------------------------------------------
option 'http { [no] websockets }' to allow such connections (default
is no). Original diff from Daniel Lamando (dan AT danopia DOT net),
option and header checks by me. suggestions and ok bluhm@ and earlier
diff claudio@
log updates|all
with
log state changes
log host checks
log connection [errors]
The first two control the logging of host check results: either changes in host state only or
all checks.
The third option controls logging of connections in relay mode:
Either log all connections, or only errors.
Additionaly, errors will be logged with LOG_WARN and good connections
will be logged with LOG_INFO, so they can be differentiated in syslog.
ok and feedback from claudio@
to 1024 session per process (esp. with keep-alive). Now the fd limit is
the new maximum and relayd will make sure to not accept too many sessions.
The tcp backlog config maximum is now 512, adjust manpage accordingly.
OK benno@ deraadt@
This removes 'no ecdh' and renames 'ecdh curve auto' to ecdhe default.
The code uses now tls_config_set_ecdhecurves(3) so it is possible to
specify multiple curves now. If people specified curves in their config
they need to adjust their config now.
OK beck@
Be more careful and remove the events before resetting them to the new
backends. This is also what some of the bufferevent functions are doing.
OK benno@
sporadically. If the \r and \n were read in separate chunks, relayd
got out of sync with the protocol as they were interpreted as two
lines. Use evbuffer_readln() with EVBUFFER_EOL_CRLF instead of
evbuffer_readline().
OK benno@
Otherwise data not written could get lost. Also try to drain the
buffers when socket splicing should be enabled. The latter was
lost when the expicit bufferevent_enable() was added in relay_write().
bug report, analysis, initial fix, testing Rivo Nurges; OK beck@
Check whether TLS server object is available before using it. With
these fixes the ssl inspect regress test just fails and does not
crash relayd.
OK claudio@
It is rarely needed and imposes a light DoS risk. LibreSSL's libssl
allows to turn it off with a simple SSL_OP_NO_CLIENT_RENEGOTIATION
option instead of the complicated implementation that was used before.
It now turns it off completely instead of allowing one initial
client-initiated renegotiation.
It can still be enabled with "tls client-renegotiation".
ok benno@ beck@ jsing@
This replaces log_verbose() and "extern int verbose" with the two functions
log_setverbose() and log_getverbose().
Pointed out by benno@
OK krw@ eric@ gilles@ (OK gilles@ for the snmpd bits as well)
relayd_config". This way we can send all the relevant global
configuration to the children, not just the flags and the opts.
With input from and
OK claudio@ benno@