From 32e2b02a8722eff69b6df3287982cd6803e9add8 Mon Sep 17 00:00:00 2001 From: Reyk Floeter Date: Wed, 1 Apr 2009 14:56:39 +0000 Subject: Add support for client-side SSL connections from relays. relayd can now sit between two SSL connections (Oitm - OpenBSD-in-the-middle), accept SSL connections and forward to TCP, accept TCP connections and forward to SSL, and do TCP to TCP of course. This was tested by some people a while ago. --- usr.sbin/relayd/relayd.conf.5 | 19 ++++++++++++++++--- 1 file changed, 16 insertions(+), 3 deletions(-) (limited to 'usr.sbin/relayd/relayd.conf.5') diff --git a/usr.sbin/relayd/relayd.conf.5 b/usr.sbin/relayd/relayd.conf.5 index ae8daac65fb..3a08596fd07 100644 --- a/usr.sbin/relayd/relayd.conf.5 +++ b/usr.sbin/relayd/relayd.conf.5 @@ -1,4 +1,4 @@ -.\" $OpenBSD: relayd.conf.5,v 1.100 2009/02/16 19:46:12 jmc Exp $ +.\" $OpenBSD: relayd.conf.5,v 1.101 2009/04/01 14:56:38 reyk Exp $ .\" .\" Copyright (c) 2006, 2007 Reyk Floeter .\" Copyright (c) 2006, 2007 Pierre-Yves Ritschard @@ -15,7 +15,7 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd $Mdocdate: February 16 2009 $ +.Dd $Mdocdate: April 1 2009 $ .Dt RELAYD.CONF 5 .Os .Sh NAME @@ -500,7 +500,9 @@ configuration directives are described below: Start the relay but immediately close any accepted connections. .It Xo .Op Ic transparent -.Ic forward to +.Ic forward +.Op Ic with ssl +.Ic to .Ar address .Op Ic port Ar port .Ar options ... @@ -516,6 +518,13 @@ Use the keyword to enable fully-transparent mode; the source address of the client will be retained in this case. .Pp +The +.Ic with ssl +directive enables client-side SSL mode to connect to the remote host. +Note that +.Xr relayd 8 +will not verify the remote SSL certificate. +.Pp The following options may be specified for forward directives: .Pp .Bl -tag -width Ds @@ -1131,3 +1140,7 @@ program was written by .An Pierre-Yves Ritschard Aq pyr@openbsd.org and .An Reyk Floeter Aq reyk@openbsd.org . +.Sh CAVEATS +.Xr relayd 8 +does not support verification of server certificates when connecting +to a remote host using the SSL protocol. -- cgit v1.2.3