Hi there
I hope this is the right mailing list to publish a patch. If not,
please let me know where to place it or how I should get in contact
with the relayd maintainer(s).
I've added some new SSL features and config options to relayd that we
needed at work:
- ssl edh params "value"
-> allows to control the use of OpenSSL built-in DH params. With
them, relayd is now able to use EDH/DHE ciphers. They are the
only option to provide forward secrecy for older clients.
- ssl [no] cipher-server-preference
-> allows the admin to control SSL_OP_CIPHER_SERVER_PREFERENCE to be
able to force some cipher preferences on clients (i.e. to prefer
ciphers that provide forward secrecy).
- ssl [no] client-renegotiation
-> allows the interception of ("secure") client initiated
renegotioations, which are considered a risk in DDoS scenarios
because many CPU cycles can be burned this way on a single TCP
connection without an obvious way for the administrator to
immediately know what's happening.
The patch was originally written against the FreeBSD port of relayd, but
since all the changes should be easily portable to OpenBSD and it makes
sense to add the features upstream, I recreated the patch so that it
applies to OpenBSD (5.5 and CURRENT). It's only compile-tested, but the
changed code parts do not really differ between the platforms, so I
think the patch should be safe to use.
Patch for OpenBSD 5.5:
http://gebert.net/share/relayd-ssl-5.5.diff
Patch for OpenBSD CURRENT as of 2014-07-01:
http://gebert.net/share/relayd-ssl-current-20140701.diff
Please feel free to change any defaults I’ve chosen for the new config
options. They were chosen for the environmet I run relayd in and might
not fit your policies about introducing new features.
Any feedback is welcome!
Markus
