| Age | Commit message (Collapse) | Author |
|---|
|
the states that Claudio introduced. No functional change.
OK claudio@ benno@
|
|
Pointed out by Markus Elfring
OK mikeb@ millert@
|
|
to better track the connection state of a session and stops doing double
opens in certain situations using http relays. Using a state field to
simplify the logic since relay_connect() is called multiple times.
OK benno@, bluhm@ and running in production for more than a week
|
|
- fix a TAILQ corruption because of a use after free
- do not reinit the SSL engine since that fails
OK sthen, benno
|
|
OK krw@ benno@
Based on revision 1.66 of usr.sbin/httpd/parse.y:
Make httpd TLSv1.2-only by default. Some older browsers, like IE 10,
will be incompatible with this change. We do this early in the
release cycle, so there is a good chance to get more experience with
the impact of it and the upcoming restricted cipher modes.
OK jsing@ deraadt@ benno@ bmercer@ krw@ florian@
|
|
manual review. Based on common practice, relayd.h now includes the
necessary headers for itself.
OK benno@
|
|
the internal and long-serving ssl_ctx_load_verify_memory() function
with a call to the SSL_CTX_load_verify_mem() API function. The
ssl_privsep.c file with hacks for using OpenSSL in privsep'ed
processes can now go away; portable versions of smtpd and relayd
should start depending on LibreSSL or they have to carry ssl_privsep.c
in openbsd-compat to work with legacy OpenSSL. No functional change.
Based on previous discussions with gilles@ bluhm@ and many others
OK bluhm@ (as part of the libcrypto/libssl/libtls diff)
|
|
is no need to keep a local copy in ssl_privsep.c. This adds a little
burden on OpenSMTPD-portable because it will have to put it in
openbsd-compat for compatibility with legacy OpenSSL.
OK gilles@
|
|
ok millert
|
|
|
|
Date: from asctime to the preferred HTTP/1.1 format, and use the
popular "Comic Sans" style (can be changed in the configuration).
|
|
*Do* pull it in when in_{port,addr}_h is needed and <netinet/in.h> isn't.
ok reyk@
|
|
loadbalance and hash modes use a random key by default that can be
forced to be a static key with a new configuration argument.
With input from Max Fillinger.
ok tedu@
|
|
|
|
effectively disabled support for the SSL protocols. SSL remains a
common term describing SSL/TLS, there is some controvery about this
change, and the name really doesn't matter, but I feel confident about
it now.
(btw., sthen@ pointed out some historical context:
http://tim.dierks.org/2014/05/security-standards-and-name-changes-in.html)
OK benno@, with input from tedu@
|
|
This should be equivalent to the statistics available
via the various relaydctl show commands
okay benno@ reyk@
|
|
SSL_OP_NO_SSLv2 in case you happen to be running relayd on another platform
with another SSL library). Also fix the SSLv3 handling so that 'no sslv3'
actually works as intended.
ok reyk@
|
|
format string, create a temporary message.
OK deraadt@
|
|
It was mandatory in the grammar but never used in the code.
A fully transparent relay can now be specified with the following
directive in a relay block: "transparent forward to destination".
OK sthen@
|
|
OK sthen@ jsing@
|
|
as being an incomplete and therefore incorrect adaptation
apologies to anybody who got bitten by this mistake
ok reyk@
|
|
work done by andre@
Re-add a randomized hash seed (which had apparently
gotten inadvertently removed in the past).
Allows for multiple relayd instances to be configured
to forward traffic to the same host, falling back to
the random seed when not explicitly configured to do so.
ok reyk@
|
|
now instead of terminating the process.
ok florian@
|
|
the other direction, the timeouts did not work. They were longer
than specified. Link the splicing and non-splicing timeouts.
Found by make run-regress-args-timeout-http.pl
OK reyk@
|
|
ok reyk
|
|
ok benno@
|
|
common web servers). Add a related regress test.
OK benno@
|
|
|
|
clients. Additionally, add options for disallowing client-initiated
renegotiations and to prefer the server's cipher list over the
client's preferences.
This work is based on a diff by Markus Gebert at hostpoint.ch, and was
discussed with jsing@ resulting in a few different defaults.
ok benno@
|
|
with associated lists instead of the complicated lookup table and
"others" list. This might add a little malloc overhead for common
headers but also fixes some issues like the handling of repeated
headers - for example, handling of multiple "Set-Cookie" headers.
ok bluhm@ (regress part)
ok benno@
|
|
language. The grammar is inspired by pf and allows to write versatile
last-matching filter rules in protocol sections starting with the
"pass", "block" or "match" keywords. This work was started almost two
years ago and replaces large parts of relayd(8)'s HTTP and filtering
code. The initial version reimplements and extends HTTP filtering,
but will be improved to support generic TCP and other protocols later.
With some testing, feedback, and help from benno@ and andre@.
OK benno@
|
|
ok reyk
|
|
ok eric@
|
|
okay reyk@
|
|
if none is available. Fixes SSL/TLS and a possible fatalx() on
machines without a default RSA engine.
Thanks to Bjorn Ketelaars for reporting and testing.
ok gilles@ (for the relayd part)
|
|
looking up the keys by relay id, add all keys to a list and look them
up by key id.
ok benno@
|
|
process to process imsg communication. It became a maze after we
added support for multiple relay processes and even worse with the ca
processes. This change makes it easier to understand. Now it only
opens socketpairs that are needed - the code previously wasted lots of
fds.
ok blambert@
|
|
- Move RSA private keys to a new separate process instead of copying
them to the relays. A custom RSA engine is used by the SSL/TLS code
of the relay processes to send RSA private key encryption/decryption
(also used for sign/verify) requests to the new "ca" processes instead
of operating on the private key directly.
- Each relay process gets its own related ca process. Setting
"prefork 5" in the config file will spawn 10 processes (5 relay, 5
ca). This diff also reduces the default number of relay processes
from 5 to 3 which should be suitable in most installations without a
very heavy load.
- Don't keep text versions of the keys in memory, parse them once and
keep the binary representation. This might still be the case in
OpenSSL's internals but will be fixed in the library.
This diff doesn't prevent something like "heartbleed" but adds an
additional mitigation to prevent leakage of the private keys from the
processes doing SSL/TLS.
With feedback from many
ok benno@
|
|
different privsep processes. The implementation is using
multi-dimensional arrays and and some complicated process to process
relations. This is the first attempt of cleaning it up and to allow
N:N communications for the upcoming "CA" processes.
Discussed with some, but nobody dared to comment on the code.
|
|
ok reyk@ benno@
|
|
ok krw, florian, henning
|
|
TLS/SSL Perfect Forward Secrecy (PFS).
ok djm@
|
|
reyk@ ok
|
|
connections (eg. HTTPS) by using a local CA that is accepted by the
clients. See the "SSL RELAYS" and "EXAMPLES" sections in the
relayd.conf(5) manpage for more details.
ok benno@, manpage bits jmc@
|
|
- fix statistics
- set INT_MAX limit on session timeouts
- make sure we dont use to large session timeouts in pf redirects and
openssl
tested with old and new time_t
ok florian@
|
|
gettimeofday(). It was also bugging me for some time to have all
these checks of gettimeofday()'s return value: it should not fail. So
this diff introduces a void getmonotime(struct timeval *tv) that calls
clock_gettime(CLOCK_MONOTONIC, &ts) and converts the output to a
struct timeval that can be used with the existing code and the
timeval-specific timer functions (timerclear, timersub, ...). It does
not return a status but calls fatal() on error-that-should-not-happen.
ok sthen@ chris@
|
|
transfer encoding. This speeds up relayd for more protocol modes
by zero-copy TCP forwarding.
OK reyk@ benno@
|
|
logs if they occur when reloading. ok benno@
|
|
toread values to track the current http header or chunk state. This
allows to handle an optional chunk trailer properly. Tracking the
http state is also a prerequisite for splicing persistent http
connections.
OK and test reyk@ benno@
|
|
that gcc then reports when compiling with -DDEBUG=2
ok reyk@ benno@
|
