4 files changed, 62 insertions, 80 deletions

diff --git a/usr.sbin/hoststated/hoststated.conf.5 b/usr.sbin/hoststated/hoststated.conf.5
index 0783da007aa..e9ae1538b3c 100644
--- a/usr.sbin/hoststated/hoststated.conf.5
+++ b/usr.sbin/hoststated/hoststated.conf.5
@@ -1,4 +1,4 @@
-.\"	$OpenBSD: hoststated.conf.5,v 1.31 2007/02/26 19:25:25 reyk Exp $
+.\"	$OpenBSD: hoststated.conf.5,v 1.32 2007/02/26 20:48:48 pyr Exp $
 .\"
 .\" Copyright (c) 2006 Pierre-Yves Ritschard <pyr@spootnik.org>
 .\"
@@ -154,12 +154,8 @@ For each host in the table, verify that retrieving the URL
 .Ar path
 gives the HTTP return code
 .Ar number .
-If
-.Ic use ssl
-is specified, HTTPS will be used to contact the host.
 .It Ic check https Ar path Ic code Ar number
-This has the same effect as above but also implies
-.Ic use ssl .
+This has the same effect as above but wraps the HTTP request in SSL.
 .It Ic check http Ar path Ic digest Ar string
 For each host in the table, verify that retrieving the URL
 .Ar path
@@ -177,16 +173,19 @@ that can be used as is in a digest statement:
 a9993e36476816aba3e25717850c26c9cd0d89d
 .Ed
 If
-.Ic use ssl
-is specified, HTTPS will be used to contact the host.
 .It Ic check https Ar path Ic digest Ar string
-This has the same effect as above but also implies
-.Ic use ssl .
+This has the same effect as above but wraps the HTTP request in SSL.
 .It Ic check icmp
 Ping hosts in this table to determine whether they are up or not.
 This method will automatically use ICMP or ICMPV6 depending on the
 address family of each host.
-.It Ic check send Ar data Ic expect Ar pattern
+.It Xo
+.Ic check send
+.Ar data
+.Ic expect
+.Ar pattern
+.Op Ic ssl
+.Xc
 For each host in the table, a TCP connection is established on the
 port specified, then
 .Ar data
@@ -202,19 +201,13 @@ then nothing is sent on the connection and data is immediately
 read.
 This can be useful with protocols that output a banner like
 SMTP, NNTP and FTP.
-If
-.Ic use ssl
-is specified, the data will be sent and/or received inside an SSL tunnel.
+If this directive is postpended with
+.Ic ssl
+the transaction will occur in an SSL tunnel.
 .It Ic check ssl
-This has the same effect as
-.Ic check tcp
-but also implies
-.Ic use ssl .
+Perform a complete SSL handshake with each host to check their availability.
 .It Ic check tcp
 Use a simple TCP connect to check that hosts are up.
-If
-.Ic use ssl
-is specified, a complete SSL handshake will also be performed.
 .It Ic demote Ar group
 Enable the per-table
 .Xr carp 4
@@ -251,8 +244,6 @@ Main and backup tables need to have the same real port.
 Set the timeout in milliseconds for each host that is checked using
 TCP as the transport.
 This will override the global timeout, which is 200 milliseconds by default.
-.It Ic use ssl
-If the table uses a TCP check, wrap it in SSL.
 .El
 .Sh SERVICES
 Services represent a
diff --git a/usr.sbin/hoststated/parse.y b/usr.sbin/hoststated/parse.y
index f4547948e00..f978c48f3e3 100644
--- a/usr.sbin/hoststated/parse.y
+++ b/usr.sbin/hoststated/parse.y
@@ -1,4 +1,4 @@
-/*	$OpenBSD: parse.y,v 1.31 2007/02/26 19:58:04 pyr Exp $	*/
+/*	$OpenBSD: parse.y,v 1.32 2007/02/26 20:48:48 pyr Exp $	*/
 
 /*
  * Copyright (c) 2006 Pierre-Yves Ritschard <pyr@spootnik.org>
@@ -107,14 +107,14 @@ typedef struct {
 %token  CHECK TCP ICMP EXTERNAL
 %token  TIMEOUT CODE DIGEST PORT TAG INTERFACE
 %token	VIRTUAL INTERVAL DISABLE STICKYADDR BACKLOG
-%token	SEND EXPECT NOTHING USE SSL LOADBALANCE ROUNDROBIN CIPHERS
+%token	SEND EXPECT NOTHING SSL LOADBALANCE ROUNDROBIN CIPHERS
 %token	RELAY LISTEN ON FORWARD TO NAT LOOKUP PREFORK NO MARK MARKED
 %token	PROTO SESSION CACHE APPEND CHANGE REMOVE FROM FILTER HASH HEADER
 %token	LOG UPDATES ALL DEMOTE NODELAY SACK SOCKET BUFFER URL RETRY
 %token	ERROR
 %token	<v.string>	STRING
 %type	<v.string>	interface
-%type	<v.number>	number port http_type loglevel sslcache
+%type	<v.number>	number port http_type loglevel sslcache optssl
 %type	<v.number>	proto_type dstmode docheck retry log flag
 %type	<v.host>	host
 %type	<v.tv>		timeout
@@ -146,6 +146,10 @@ number		: STRING	{
 		}
 		;
 
+optssl		: /*empty*/	{ $$ = 0; }
+		| SSL		{ $$ = 1; }
+		;
+
 http_type	: STRING	{
 			if (strcmp("https", $1) == 0) {
 				$$ = 1;
@@ -478,8 +482,12 @@ tableoptsl	: host			{
 			}
 			free($5);
 		}
-		| CHECK SEND sendbuf EXPECT STRING {
+		| CHECK SEND sendbuf EXPECT STRING optssl {
 			table->check = CHECK_SEND_EXPECT;
+			if ($6) {
+				conf->flags |= F_SSL;
+				table->flags |= F_SSL;
+			}
 			if (strlcpy(table->exbuf, $5, sizeof(table->exbuf))
 			    >= sizeof(table->exbuf)) {
 				yyerror("yyparse: expect buffer truncated");
@@ -508,10 +516,6 @@ tableoptsl	: host			{
 			}
 		}
 		| DISABLE			{ table->flags |= F_DISABLE; }
-		| USE SSL			{
-			table->flags |= F_SSL;
-			conf->flags |= F_SSL;
-		}
 		;
 
 proto		: PROTO STRING	{
@@ -824,7 +828,7 @@ relayopts_l	: relayopts_l relayoptsl nl
 		| relayoptsl optnl
 		;
 
-relayoptsl	: LISTEN ON STRING port sslserv {
+relayoptsl	: LISTEN ON STRING port optssl {
 			struct addresslist 	 al;
 			struct address		*h;
 
@@ -844,6 +848,10 @@ relayoptsl	: LISTEN ON STRING port sslserv {
 			h = TAILQ_FIRST(&al);
 			bcopy(&h->ss, &rlay->ss, sizeof(rlay->ss));
 			rlay->port = h->port;
+			if ($5) {
+				rlay->flags |= F_SSL;
+				conf->flags |= F_SSL;
+			}
 		}
 		| FORWARD TO STRING port {
 			struct addresslist 	 al;
@@ -933,13 +941,6 @@ docheck		: /* empty */		{ $$ = 1; }
 		| NO CHECK		{ $$ = 0; }
 		;
 
-sslserv		: /* empty */
-		| SSL	{
-			rlay->flags |= F_SSL;
-			conf->flags |= F_SSL;
-		}
-		;
-
 interface	: /*empty*/		{ $$ = NULL; }
 		| INTERFACE STRING	{ $$ = $2; }
 		;
@@ -1096,7 +1097,6 @@ lookup(char *s)
 		{ "to",			TO },
 		{ "updates",		UPDATES },
 		{ "url",		URL },
-		{ "use",		USE },
 		{ "virtual",		VIRTUAL }
 	};
 	const struct keywords	*p;
diff --git a/usr.sbin/relayd/parse.y b/usr.sbin/relayd/parse.y
index f4547948e00..f978c48f3e3 100644
--- a/usr.sbin/relayd/parse.y
+++ b/usr.sbin/relayd/parse.y
@@ -1,4 +1,4 @@
-/*	$OpenBSD: parse.y,v 1.31 2007/02/26 19:58:04 pyr Exp $	*/
+/*	$OpenBSD: parse.y,v 1.32 2007/02/26 20:48:48 pyr Exp $	*/
 
 /*
  * Copyright (c) 2006 Pierre-Yves Ritschard <pyr@spootnik.org>
@@ -107,14 +107,14 @@ typedef struct {
 %token  CHECK TCP ICMP EXTERNAL
 %token  TIMEOUT CODE DIGEST PORT TAG INTERFACE
 %token	VIRTUAL INTERVAL DISABLE STICKYADDR BACKLOG
-%token	SEND EXPECT NOTHING USE SSL LOADBALANCE ROUNDROBIN CIPHERS
+%token	SEND EXPECT NOTHING SSL LOADBALANCE ROUNDROBIN CIPHERS
 %token	RELAY LISTEN ON FORWARD TO NAT LOOKUP PREFORK NO MARK MARKED
 %token	PROTO SESSION CACHE APPEND CHANGE REMOVE FROM FILTER HASH HEADER
 %token	LOG UPDATES ALL DEMOTE NODELAY SACK SOCKET BUFFER URL RETRY
 %token	ERROR
 %token	<v.string>	STRING
 %type	<v.string>	interface
-%type	<v.number>	number port http_type loglevel sslcache
+%type	<v.number>	number port http_type loglevel sslcache optssl
 %type	<v.number>	proto_type dstmode docheck retry log flag
 %type	<v.host>	host
 %type	<v.tv>		timeout
@@ -146,6 +146,10 @@ number		: STRING	{
 		}
 		;
 
+optssl		: /*empty*/	{ $$ = 0; }
+		| SSL		{ $$ = 1; }
+		;
+
 http_type	: STRING	{
 			if (strcmp("https", $1) == 0) {
 				$$ = 1;
@@ -478,8 +482,12 @@ tableoptsl	: host			{
 			}
 			free($5);
 		}
-		| CHECK SEND sendbuf EXPECT STRING {
+		| CHECK SEND sendbuf EXPECT STRING optssl {
 			table->check = CHECK_SEND_EXPECT;
+			if ($6) {
+				conf->flags |= F_SSL;
+				table->flags |= F_SSL;
+			}
 			if (strlcpy(table->exbuf, $5, sizeof(table->exbuf))
 			    >= sizeof(table->exbuf)) {
 				yyerror("yyparse: expect buffer truncated");
@@ -508,10 +516,6 @@ tableoptsl	: host			{
 			}
 		}
 		| DISABLE			{ table->flags |= F_DISABLE; }
-		| USE SSL			{
-			table->flags |= F_SSL;
-			conf->flags |= F_SSL;
-		}
 		;
 
 proto		: PROTO STRING	{
@@ -824,7 +828,7 @@ relayopts_l	: relayopts_l relayoptsl nl
 		| relayoptsl optnl
 		;
 
-relayoptsl	: LISTEN ON STRING port sslserv {
+relayoptsl	: LISTEN ON STRING port optssl {
 			struct addresslist 	 al;
 			struct address		*h;
 
@@ -844,6 +848,10 @@ relayoptsl	: LISTEN ON STRING port sslserv {
 			h = TAILQ_FIRST(&al);
 			bcopy(&h->ss, &rlay->ss, sizeof(rlay->ss));
 			rlay->port = h->port;
+			if ($5) {
+				rlay->flags |= F_SSL;
+				conf->flags |= F_SSL;
+			}
 		}
 		| FORWARD TO STRING port {
 			struct addresslist 	 al;
@@ -933,13 +941,6 @@ docheck		: /* empty */		{ $$ = 1; }
 		| NO CHECK		{ $$ = 0; }
 		;
 
-sslserv		: /* empty */
-		| SSL	{
-			rlay->flags |= F_SSL;
-			conf->flags |= F_SSL;
-		}
-		;
-
 interface	: /*empty*/		{ $$ = NULL; }
 		| INTERFACE STRING	{ $$ = $2; }
 		;
@@ -1096,7 +1097,6 @@ lookup(char *s)
 		{ "to",			TO },
 		{ "updates",		UPDATES },
 		{ "url",		URL },
-		{ "use",		USE },
 		{ "virtual",		VIRTUAL }
 	};
 	const struct keywords	*p;
diff --git a/usr.sbin/relayd/relayd.conf.5 b/usr.sbin/relayd/relayd.conf.5
index af25b6d612e..d915b2a023d 100644
--- a/usr.sbin/relayd/relayd.conf.5
+++ b/usr.sbin/relayd/relayd.conf.5
@@ -1,4 +1,4 @@
-.\"	$OpenBSD: relayd.conf.5,v 1.31 2007/02/26 19:25:25 reyk Exp $
+.\"	$OpenBSD: relayd.conf.5,v 1.32 2007/02/26 20:48:48 pyr Exp $
 .\"
 .\" Copyright (c) 2006 Pierre-Yves Ritschard <pyr@spootnik.org>
 .\"
@@ -154,12 +154,8 @@ For each host in the table, verify that retrieving the URL
 .Ar path
 gives the HTTP return code
 .Ar number .
-If
-.Ic use ssl
-is specified, HTTPS will be used to contact the host.
 .It Ic check https Ar path Ic code Ar number
-This has the same effect as above but also implies
-.Ic use ssl .
+This has the same effect as above but wraps the HTTP request in SSL.
 .It Ic check http Ar path Ic digest Ar string
 For each host in the table, verify that retrieving the URL
 .Ar path
@@ -177,16 +173,19 @@ that can be used as is in a digest statement:
 a9993e36476816aba3e25717850c26c9cd0d89d
 .Ed
 If
-.Ic use ssl
-is specified, HTTPS will be used to contact the host.
 .It Ic check https Ar path Ic digest Ar string
-This has the same effect as above but also implies
-.Ic use ssl .
+This has the same effect as above but wraps the HTTP request in SSL.
 .It Ic check icmp
 Ping hosts in this table to determine whether they are up or not.
 This method will automatically use ICMP or ICMPV6 depending on the
 address family of each host.
-.It Ic check send Ar data Ic expect Ar pattern
+.It Xo
+.Ic check send
+.Ar data
+.Ic expect
+.Ar pattern
+.Op Ic ssl
+.Xc
 For each host in the table, a TCP connection is established on the
 port specified, then
 .Ar data
@@ -202,19 +201,13 @@ then nothing is sent on the connection and data is immediately
 read.
 This can be useful with protocols that output a banner like
 SMTP, NNTP and FTP.
-If
-.Ic use ssl
-is specified, the data will be sent and/or received inside an SSL tunnel.
+If this directive is postpended with
+.Ic ssl
+the transaction will occur in an SSL tunnel.
 .It Ic check ssl
-This has the same effect as
-.Ic check tcp
-but also implies
-.Ic use ssl .
+Perform a complete SSL handshake with each host to check their availability.
 .It Ic check tcp
 Use a simple TCP connect to check that hosts are up.
-If
-.Ic use ssl
-is specified, a complete SSL handshake will also be performed.
 .It Ic demote Ar group
 Enable the per-table
 .Xr carp 4
@@ -251,8 +244,6 @@ Main and backup tables need to have the same real port.
 Set the timeout in milliseconds for each host that is checked using
 TCP as the transport.
 This will override the global timeout, which is 200 milliseconds by default.
-.It Ic use ssl
-If the table uses a TCP check, wrap it in SSL.
 .El
 .Sh SERVICES
 Services represent a