| Age | Commit message (Collapse) | Author |
|---|
|
- use <> instead of \*(Lt and \*(Gt
- use <> instead of Aq (Aq is not the same as <> in a UTF-8 locale)
- replace Ar usage when appropriate
- mark up RTP_STATIC with Dv
with input from jmc@ schwarze@, ok schwarze@
|
|
no cipher-server-preference
this makes more clients select ciphers with pfs.
requested and ok by reyk@
|
|
ok jmc@
|
|
|
|
|
|
Pointed out by Alex Greif
OK jmc@
|
|
from trondd
|
|
OK krw@ benno@
Based on revision 1.66 of usr.sbin/httpd/parse.y:
Make httpd TLSv1.2-only by default. Some older browsers, like IE 10,
will be incompatible with this change. We do this early in the
release cycle, so there is a good chance to get more experience with
the impact of it and the upcoming restricted cipher modes.
OK jsing@ deraadt@ benno@ bmercer@ krw@ florian@
|
|
|
|
ok reyk@
|
|
|
|
|
|
in redirections. Thanks for help and input from jsg and yasuoka who
reminded me to dig out and update these old diffs for pf and relayd.
ok jsg@
|
|
|
|
loadbalance and hash modes use a random key by default that can be
forced to be a static key with a new configuration argument.
With input from Max Fillinger.
ok tedu@
|
|
effectively disabled support for the SSL protocols. SSL remains a
common term describing SSL/TLS, there is some controvery about this
change, and the name really doesn't matter, but I feel confident about
it now.
(btw., sthen@ pointed out some historical context:
http://tim.dierks.org/2014/05/security-standards-and-name-changes-in.html)
OK benno@, with input from tedu@
|
|
SSL_OP_NO_SSLv2 in case you happen to be running relayd on another platform
with another SSL library). Also fix the SSLv3 handling so that 'no sslv3'
actually works as intended.
ok reyk@
|
|
relevant example snippet in the relayd.conf(5) man page.
Change the default SSL protocols in the example file/man page to
"no tlsv1.0" (suggested by sthen@), which will enable the TLSv1.1
and TLSv1.2 protocols only.
feedback/ok jsing@ reyk@ sthen@
|
|
OK sthen@ jsing@
|
|
as being an incomplete and therefore incorrect adaptation
apologies to anybody who got bitten by this mistake
ok reyk@
|
|
work done by andre@
Re-add a randomized hash seed (which had apparently
gotten inadvertently removed in the past).
Allows for multiple relayd instances to be configured
to forward traffic to the same host, falling back to
the random seed when not explicitly configured to do so.
ok reyk@
|
|
clients. Additionally, add options for disallowing client-initiated
renegotiations and to prefer the server's cipher list over the
client's preferences.
This work is based on a diff by Markus Gebert at hostpoint.ch, and was
discussed with jsing@ resulting in a few different defaults.
ok benno@
|
|
|
|
|
|
language. The grammar is inspired by pf and allows to write versatile
last-matching filter rules in protocol sections starting with the
"pass", "block" or "match" keywords. This work was started almost two
years ago and replaces large parts of relayd(8)'s HTTP and filtering
code. The initial version reimplements and extends HTTP filtering,
but will be improved to support generic TCP and other protocols later.
With some testing, feedback, and help from benno@ and andre@.
OK benno@
|
|
|
|
- Move RSA private keys to a new separate process instead of copying
them to the relays. A custom RSA engine is used by the SSL/TLS code
of the relay processes to send RSA private key encryption/decryption
(also used for sign/verify) requests to the new "ca" processes instead
of operating on the private key directly.
- Each relay process gets its own related ca process. Setting
"prefork 5" in the config file will spawn 10 processes (5 relay, 5
ca). This diff also reduces the default number of relay processes
from 5 to 3 which should be suitable in most installations without a
very heavy load.
- Don't keep text versions of the keys in memory, parse them once and
keep the binary representation. This might still be the case in
OpenSSL's internals but will be fixed in the library.
This diff doesn't prevent something like "heartbleed" but adds an
additional mitigation to prevent leakage of the private keys from the
processes doing SSL/TLS.
With feedback from many
ok benno@
|
|
|
|
ok reyk@ benno@
|
|
TLS/SSL Perfect Forward Secrecy (PFS).
ok djm@
|
|
|
|
|
|
|
|
man4 still to go...
|
|
connections (eg. HTTPS) by using a local CA that is accepted by the
clients. See the "SSL RELAYS" and "EXAMPLES" sections in the
relayd.conf(5) manpage for more details.
ok benno@, manpage bits jmc@
|
|
- fix statistics
- set INT_MAX limit on session timeouts
- make sure we dont use to large session timeouts in pf redirects and
openssl
tested with old and new time_t
ok florian@
|
|
|
|
least-states, random, source-hash. least-states is currently only
supported for redirections and the other ones are currently only
supported by relays.
ok benno@
|
|
code for main and backup table all over the place, turn the relay
tables into a list attached to the relay. This improves the code and
allows some other tricks with multiple tables later.
|
|
- flesh out SEE ALSO in bgpd.8
- fix a formatting warning in relayd.conf.5
|
|
ok sthen@ jmc@
|
|
characters;
prompted by a diff from robert peichaer org
thanks gilles and henning for feedback
ok deraadt zinke
|
|
(/etc/ssl/host:port.crt, /etc/ssl/private/host:port.key).
ok benno@, todd@ likes it too, doc tweak suggested by jmc.
|
|
by design.
ok henning pyr
|
|
in the long term, i guess we should avoid documenting the number of
sections, since it's meaningless and is always in danger of going
out of date...
|
|
the standard OpenBSD-style parse.y handle continuing lines with backslashes,
paying particular attention to how comments are handled (which can cause
nasty side-effects if you're not expecting it).
Most wording from jmc@, with suggestions from fgsch@, marc@, Richard Toohey,
patrick keshishian and Florian Obser, ok jmc@.
|
|
directives like "listen on egress".
Based on gilles@' code for smtpd and an idea from Mikolaj Kucharski.
|
|
OK reyk@ claudio@ sthen@
|
|
"it's worth killing, if just to stop it being copied all over the place"
|
|
|
