Using the protocol defaults (tlsv1.3 and tlsv1.2) in latest relayd has
regressed to not supporting SNI?
While server side TLSv1.3 did not make it into 6.7 release, it was supposedly
added in -current. According to relayd.conf(5) manpage:
no tlsv1.3
Disable the TLSv1.3 protocol. The default is to enable
TLSv1.3.
A user on IRC reported that this SNI issue is also apparent when using tlsv1.3
in httpd.
Disabling TLSv1.3 by adding `tls no tlsv1.3` relayd.conf works around the
issue.
6.7-current OpenBSD localhost 6.7 GENERIC#216 amd64
My relayd.conf:
ext_v4 = "1.2.3.4"
http protocol "http" {
match request header set "X-Forwarded-For" value "$REMOTE_ADDR"
match request header set "X-Forwarded-By" value "$SERVER_ADDR:
$SERVER_PORT"
tcp { nodelay, socket buffer 65536, backlog 100 }
}
http protocol "https" {
match request header set "X-Forwarded-For" value "$REMOTE_ADDR"
match request header set "X-Forwarded-By" value "$SERVER_ADDR:
$SERVER_PORT"
tcp { nodelay, socket buffer 65536, backlog 100 }
tls keypair example1.com
tls keypair example2.com
http websockets
}
relay "v4_http_relay" {
listen on $ext_v4 port 80
protocol "http"
forward to 127.0.0.1 port 8081
}
relay "v4_https_relay" {
listen on $ext_v4 port 443 tls
protocol "https"
forward to 127.0.0.1 port 8080
}
Attempting to curl example2.com gets example1.com's cert. This behavior is
similar in httpd, according to aforementioned IRC conversation. (The first
occurance of `tls keypair` in relayd.conf determines which cert gets sent no
matter what)
localhost% curl -v https://example2.com
* Trying 1.2.3.4:443...
* Connected to example2.com (1.2.3.4) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/cert.pem
CApath: none
* (304) (OUT), TLS handshake, Client hello (1):
* (304) (IN), TLS handshake, Server hello (2):
* (304) (IN), TLS handshake, Unknown (8):
* (304) (IN), TLS handshake, Certificate (11):
* (304) (IN), TLS handshake, CERT verify (15):
* (304) (IN), TLS handshake, Finished (20):
* (304) (OUT), TLS handshake, Finished (20):
* SSL connection using unknown / AEAD-AES256-GCM-SHA384
* ALPN, server did not agree to a protocol
* Server certificate:
* subject: CN=example1.com
* start date: May 9 21:55:12 2020 GMT
* expire date: Aug 7 21:55:12 2020 GMT
* subjectAltName does not match example2.com
* SSL: no alternative certificate subject name matches target host name
'example2.com'
* Closing connection 0
curl: (60) SSL: no alternative certificate subject name matches target host
name 'example2.com'
More details here: https://curl.haxx.se/docs/sslcerts.html
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
localhost% curl -v https://example1.com
* Trying 1.2.3.4:443...
* Connected to example1.com (1.2.3.4) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/cert.pem
CApath: none
* (304) (OUT), TLS handshake, Client hello (1):
* (304) (IN), TLS handshake, Server hello (2):
* (304) (IN), TLS handshake, Unknown (8):
* (304) (IN), TLS handshake, Certificate (11):
* (304) (IN), TLS handshake, CERT verify (15):
* (304) (IN), TLS handshake, Finished (20):
* (304) (OUT), TLS handshake, Finished (20):
* SSL connection using unknown / AEAD-AES256-GCM-SHA384
* ALPN, server did not agree to a protocol
* Server certificate:
* subject: CN=example1.com
* start date: May 9 21:55:12 2020 GMT
* expire date: Aug 7 21:55:12 2020 GMT
* subjectAltName: host "example1.com" matched cert's "example1.com"
* issuer: C=US; O=Let's Encrypt; CN=Let's Encrypt Authority X3
* SSL certificate verify ok.
> GET / HTTP/1.1
> Host: example1.com
> User-Agent: curl/7.70.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Connection: keep-alive
< Content-Length: 0
< Content-Type: text/html
< Date: Wed, 27 May 2020 12:56:31 GMT
< Last-Modified: Sun, 10 May 2020 20:14:27 GMT
<
* Connection #0 to host example1.com left intact
