summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorBob Beck <beck@cvs.openbsd.org>2023-06-06 15:16:53 +0000
committerBob Beck <beck@cvs.openbsd.org>2023-06-06 15:16:53 +0000
commit2a98c24d5ca3fe56900d9c54df9372842928b561 (patch)
treeec0e8947ecce5e7a39d97df347db9aa8e15da7ad
parentb0e9d7b34199b90d78a7937b97165befc59177b0 (diff)
Make the tlsv1.0 and tlsv1.1 options in relayd do nothing
Also document that fact, and that the existing ssl3 option does nothing. This changes relayd to no longer request tls1.0 or tls1.1 in preparation for the upcoming deprecation of these out of data protocols ok jsing@ bluhm@ tb@ claudio@ benno@
-rw-r--r--usr.sbin/relayd/relay.c6
-rw-r--r--usr.sbin/relayd/relayd.conf.520
2 files changed, 7 insertions, 19 deletions
diff --git a/usr.sbin/relayd/relay.c b/usr.sbin/relayd/relay.c
index 7491570445d..3341baad659 100644
--- a/usr.sbin/relayd/relay.c
+++ b/usr.sbin/relayd/relay.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: relay.c,v 1.255 2022/12/28 21:30:18 jmc Exp $ */
+/* $OpenBSD: relay.c,v 1.256 2023/06/06 15:16:52 beck Exp $ */
/*
* Copyright (c) 2006 - 2014 Reyk Floeter <reyk@openbsd.org>
@@ -2065,10 +2065,6 @@ relay_tls_ctx_create_proto(struct protocol *proto, struct tls_config *tls_cfg)
uint32_t protocols = 0;
/* Set the allowed SSL protocols */
- if (proto->tlsflags & TLSFLAG_TLSV1_0)
- protocols |= TLS_PROTOCOL_TLSv1_0;
- if (proto->tlsflags & TLSFLAG_TLSV1_1)
- protocols |= TLS_PROTOCOL_TLSv1_1;
if (proto->tlsflags & TLSFLAG_TLSV1_2)
protocols |= TLS_PROTOCOL_TLSv1_2;
if (proto->tlsflags & TLSFLAG_TLSV1_3)
diff --git a/usr.sbin/relayd/relayd.conf.5 b/usr.sbin/relayd/relayd.conf.5
index 90ee6995fd5..679da2e1322 100644
--- a/usr.sbin/relayd/relayd.conf.5
+++ b/usr.sbin/relayd/relayd.conf.5
@@ -1,4 +1,4 @@
-.\" $OpenBSD: relayd.conf.5,v 1.205 2022/03/31 17:27:31 naddy Exp $
+.\" $OpenBSD: relayd.conf.5,v 1.206 2023/06/06 15:16:52 beck Exp $
.\"
.\" Copyright (c) 2006 - 2016 Reyk Floeter <reyk@openbsd.org>
.\" Copyright (c) 2006, 2007 Pierre-Yves Ritschard <pyr@openbsd.org>
@@ -15,7 +15,7 @@
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\"
-.Dd $Mdocdate: March 31 2022 $
+.Dd $Mdocdate: June 6 2023 $
.Dt RELAYD.CONF 5
.Os
.Sh NAME
@@ -1021,27 +1021,19 @@ The default is to enable TLSv1.3.
Disable the TLSv1.2 protocol.
The default is to enable TLSv1.2.
.It Ic sslv3
-Enable the SSLv3 protocol.
-The default is
-.Ic no sslv3 .
+Is deprecated and does nothing.
.It Ic tlsv1
Enable all TLSv1 protocols.
-This is an alias that includes
-.Ic tlsv1.0 ,
-.Ic tlsv1.1 ,
+This is an alias that currently includes
.Ic tlsv1.2 ,
and
.Ic tlsv1.3 .
The default is
.Ic no tlsv1 .
.It Ic tlsv1.0
-Enable the TLSv1.0 protocol.
-The default is
-.Ic no tlsv1.0 .
+Is deprecated and does nothing.
.It Ic tlsv1.1
-Enable the TLSv1.1 protocol.
-The default is
-.Ic no tlsv1.1 .
+Is deprecated and does nothing.
.El
.It Ic http Ar option
Set the HTTP options and session settings.