Hi,
On Wed, Jul 02, 2014 at 01:34:51PM +0200, Markus Gebert wrote:
> Hi there
>
> I hope this is the right mailing list to publish a patch. If not,
> please let me know where to place it or how I should get in contact
> with the relayd maintainer(s).
>
> I've added some new SSL features and config options to relayd that we
> needed at work:
>
> - ssl edh params "value"
> -> allows to control the use of OpenSSL built-in DH params. With
> them, relayd is now able to use EDH/DHE ciphers. They are the
> only option to provide forward secrecy for older clients.
>
> - ssl [no] cipher-server-preference
> -> allows the admin to control SSL_OP_CIPHER_SERVER_PREFERENCE to be
> able to force some cipher preferences on clients (i.e. to prefer
> ciphers that provide forward secrecy).
>
> - ssl [no] client-renegotiation
> -> allows the interception of ("secure") client initiated
> renegotioations, which are considered a risk in DDoS scenarios
> because many CPU cycles can be burned this way on a single TCP
> connection without an obvious way for the administrator to
> immediately know what's happening.
>
>
> The patch was originally written against the FreeBSD port of relayd, but
> since all the changes should be easily portable to OpenBSD and it makes
> sense to add the features upstream, I recreated the patch so that it
> applies to OpenBSD (5.5 and CURRENT). It's only compile-tested, but the
> changed code parts do not really differ between the platforms, so I
> think the patch should be safe to use.
>
> Patch for OpenBSD 5.5:
> http://gebert.net/share/relayd-ssl-5.5.diff
>
> Patch for OpenBSD CURRENT as of 2014-07-01:
> http://gebert.net/share/relayd-ssl-current-20140701.diff
>
>
> Please feel free to change any defaults I’ve chosen for the new config
> options. They were chosen for the environmet I run relayd in and might
> not fit your policies about introducing new features.
>
> Any feedback is welcome!
>
>
thanks for your patches! You bet me to it. Adding EDH/DHE support
was on our list. First impression of your diff is good.
Reyk
