[prev in list] [next in list] [prev in thread] [next in thread]
List: openbsd-tech
Subject: Re: relayd.conf.5: less SSL
From: Sebastian Benoit <benno () openbsd ! org>
Date: 2023-10-28 20:58:03
Message-ID: 20231028205803.GA995 () mail ! webmonster ! de
[Download RAW message or body]
Klemens Nanni(kn@openbsd.org) on 2023.10.26 13:28:42 +0000:
> On Tue, Oct 24, 2023 at 09:09:21AM +0200, Peter N. M. Hansteen wrote:
> > On Tue, Oct 24, 2023 at 06:54:30AM +0000, Klemens Nanni wrote:
> > > - parse.y still accepting undocumented "ssl" with a warning since 2014
> > > - more "SSL/TLS" instead of "TLS" in manual and code comments
> >
> > my take would be that while it's fine to streamline the documentation to use
> > the modern terminology, I suspect there may still be ancient configurations
> > out there that use the "ssl" keyword, so removing the last bit of support for
> > that option should be accompanied by or preceded by a warning on relevant
> > mailing lists or at least in the commit message.
> >
> > And I think undeadly.org would be more than happy to help spread the word :)
>
> current.html entry should do for a deprecated keyword we've been warning
> about for almost ten years...
Yes, please kick it where it belongs.
> I've checked faq/upgrade*.html for previous
> notes, but couldn't find any.
no, because it wasnt removed after 2 releases with the warning.
> Here's a first try, relayd regress is also happy.
ok benno@
> Index: usr.sbin/relayd/parse.y
> ===================================================================
> RCS file: /cvs/src/usr.sbin/relayd/parse.y,v
> retrieving revision 1.254
> diff -u -p -r1.254 parse.y
> --- usr.sbin/relayd/parse.y 3 Jul 2023 09:38:08 -0000 1.254
> +++ usr.sbin/relayd/parse.y 26 Oct 2023 06:07:08 -0000
> @@ -175,7 +175,7 @@ typedef struct {
> %token LOOKUP METHOD MODE NAT NO DESTINATION NODELAY NOTHING ON PARENT PATH
> %token PFTAG PORT PREFORK PRIORITY PROTO QUERYSTR REAL REDIRECT RELAY REMOVE
> %token REQUEST RESPONSE RETRY QUICK RETURN ROUNDROBIN ROUTE SACK SCRIPT SEND
> -%token SESSION SOCKET SPLICE SSL STICKYADDR STRIP STYLE TABLE TAG TAGGED TCP
> +%token SESSION SOCKET SPLICE STICKYADDR STRIP STYLE TABLE TAG TAGGED TCP
> %token TIMEOUT TLS TO ROUTER RTLABEL TRANSPARENT URL WITH TTL RTABLE
> %token MATCH PARAMS RANDOM LEASTSTATES SRCHASH KEY CERTIFICATE PASSWORD ECDHE
> %token EDH TICKETS CONNECTION CONNECTIONS CONTEXT ERRORS STATE CHANGES CHECKS
> @@ -227,21 +227,12 @@ include : INCLUDE STRING {
> }
> ;
>
> -ssltls : SSL {
> - log_warnx("%s:%d: %s",
> - file->name, yylval.lineno,
> - "please use the \"tls\" keyword"
> - " instead of \"ssl\"");
> - }
> - | TLS
> - ;
> -
> opttls : /*empty*/ { $$ = 0; }
> - | ssltls { $$ = 1; }
> + | TLS { $$ = 1; }
> ;
>
> opttlsclient : /*empty*/ { $$ = 0; }
> - | WITH ssltls { $$ = 1; }
> + | WITH TLS { $$ = 1; }
> ;
>
> http_type : HTTP { $$ = 0; }
> @@ -905,7 +896,7 @@ hashkey : /* empty */ {
>
> tablecheck : ICMP { table->conf.check = CHECK_ICMP; }
> | TCP { table->conf.check = CHECK_TCP; }
> - | ssltls {
> + | TLS {
> table->conf.check = CHECK_TCP;
> conf->sc_conf.flags |= F_TLS;
> table->conf.flags |= F_TLS;
> @@ -1114,7 +1105,7 @@ protopts_l : protopts_l protoptsl nl
> | protoptsl optnl
> ;
>
> -protoptsl : ssltls {
> +protoptsl : TLS {
> if (!(proto->type == RELAY_PROTO_TCP ||
> proto->type == RELAY_PROTO_HTTP)) {
> yyerror("can set tls options only for "
> @@ -1122,7 +1113,7 @@ protoptsl : ssltls {
> YYERROR;
> }
> } tlsflags
> - | ssltls {
> + | TLS {
> if (!(proto->type == RELAY_PROTO_TCP ||
> proto->type == RELAY_PROTO_HTTP)) {
> yyerror("can set tls options only for "
> @@ -2492,7 +2483,6 @@ lookup(char *s)
> { "socket", SOCKET },
> { "source-hash", SRCHASH },
> { "splice", SPLICE },
> - { "ssl", SSL },
> { "state", STATE },
> { "sticky-address", STICKYADDR },
> { "strip", STRIP },
> Index: usr.sbin/relayd/relay.c
> ===================================================================
> RCS file: /cvs/src/usr.sbin/relayd/relay.c,v
> retrieving revision 1.257
> diff -u -p -r1.257 relay.c
> --- usr.sbin/relayd/relay.c 3 Sep 2023 10:22:03 -0000 1.257
> +++ usr.sbin/relayd/relay.c 26 Oct 2023 05:49:22 -0000
> @@ -2064,7 +2064,7 @@ relay_tls_ctx_create_proto(struct protoc
> {
> uint32_t protocols = 0;
>
> - /* Set the allowed SSL protocols */
> + /* Set the allowed TLS protocols */
> if (proto->tlsflags & TLSFLAG_TLSV1_2)
> protocols |= TLS_PROTOCOL_TLSv1_2;
> if (proto->tlsflags & TLSFLAG_TLSV1_3)
> @@ -2186,7 +2186,7 @@ relay_tls_ctx_create(struct relay *rlay)
> /*
> * Use the public key as the "private" key - the secret key
> * parameters are hidden in an extra process that will be
> - * contacted by the RSA engine. The SSL/TLS library needs at
> + * contacted by the RSA engine. The TLS library needs at
> * least the public key parameters in the current process.
> */
> tls_config_use_fake_private_key(tls_cfg);
> Index: usr.sbin/relayd/relayd.conf.5
> ===================================================================
> RCS file: /cvs/src/usr.sbin/relayd/relayd.conf.5,v
> retrieving revision 1.206
> diff -u -p -r1.206 relayd.conf.5
> --- usr.sbin/relayd/relayd.conf.5 6 Jun 2023 15:16:52 -0000 1.206
> +++ usr.sbin/relayd/relayd.conf.5 26 Oct 2023 06:18:10 -0000
> @@ -728,8 +728,6 @@ In addition to plain TCP,
> .Xr relayd 8
> supports the Transport Layer Security (TLS) cryptographic protocol for
> authenticated and encrypted relays.
> -TLS is the successor of the original Secure Sockets Layer (SSL) protocol,
> -but the term SSL is sometimes still used in modern TLS-based applications.
> .Xr relayd 8
> can operate as a TLS client or server to offer a variety of options
> for different use cases related to TLS.
> @@ -758,7 +756,7 @@ statements,
> .Xr relayd 8
> will accept connections from clients as a TLS server.
> This mode is also known as
> -.Dq SSL/TLS acceleration .
> +.Dq TLS acceleration .
> See the
> .Ic listen on
> description in the
> @@ -947,7 +945,7 @@ If not specified, the default value
> will be used (strong crypto cipher suites without anonymous DH).
> See the CIPHERS section of
> .Xr openssl 1
> -for information about SSL/TLS cipher suites and preference lists.
> +for information about TLS cipher suites and preference lists.
> .It Ic client-renegotiation
> Allow client-initiated renegotiation.
> To mitigate a potential DoS risk,
> @@ -994,7 +992,7 @@ a keypair will be loaded using the speci
> .Ar name .
> See
> .Xr ssl 8
> -for details about SSL/TLS server certificates.
> +for details about TLS server certificates.
> .Pp
> An optional OCSP staple file will be used during TLS handshakes with
> this server if it is found as a non-empty file in
> @@ -1621,7 +1619,7 @@ http protocol httpfilter {
> match label "Prohibited!"
> block url "social.network.example.com/"
>
> - # New configuration directives for SSL/TLS Interception
> + # New configuration directives for TLS Interception
> tls ca key "/etc/ssl/private/ca.key" password "password123"
> tls ca cert "/etc/ssl/ca.crt"
> }
> Index: usr.sbin/httpd/httpd.conf.5
> ===================================================================
> RCS file: /cvs/src/usr.sbin/httpd/httpd.conf.5,v
> retrieving revision 1.123
> diff -u -p -r1.123 httpd.conf.5
> --- usr.sbin/httpd/httpd.conf.5 17 Aug 2023 07:25:57 -0000 1.123
> +++ usr.sbin/httpd/httpd.conf.5 26 Oct 2023 06:18:27 -0000
> @@ -649,7 +649,7 @@ If not specified, the default value
> will be used (strong crypto cipher suites without anonymous DH).
> See the CIPHERS section of
> .Xr openssl 1
> -for information about SSL/TLS cipher suites and preference lists.
> +for information about TLS cipher suites and preference lists.
> .It Ic client ca Ar cafile Oo Ic crl Ar crlfile Oc Op Ic optional
> Require
> .Po
> Index: etc/examples//relayd.conf
> ===================================================================
> RCS file: /cvs/src/etc/examples/relayd.conf,v
> retrieving revision 1.5
> diff -u -p -r1.5 relayd.conf
> --- etc/examples//relayd.conf 6 May 2018 20:56:55 -0000 1.5
> +++ etc/examples//relayd.conf 26 Oct 2023 05:47:17 -0000
> @@ -34,7 +34,7 @@ redirect www {
> }
>
> #
> -# Relay and protocol for HTTP layer 7 loadbalancing and SSL/TLS acceleration
> +# Relay and protocol for HTTP layer 7 loadbalancing and TLS acceleration
> #
> http protocol https {
> match request header append "X-Forwarded-For" value "$REMOTE_ADDR"
> @@ -50,7 +50,7 @@ http protocol https {
> }
>
> relay wwwtls {
> - # Run as a SSL/TLS accelerator
> + # Run as a TLS accelerator
> listen on $ext_addr port 443 tls
> protocol https
>
>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic