On Tue, Oct 24, 2023 at 09:09:21AM +0200, Peter N. M. Hansteen wrote:
> On Tue, Oct 24, 2023 at 06:54:30AM +0000, Klemens Nanni wrote:
> > - parse.y still accepting undocumented "ssl" with a warning since 2014
> > - more "SSL/TLS" instead of "TLS" in manual and code comments
>
> my take would be that while it's fine to streamline the documentation to use
> the modern terminology, I suspect there may still be ancient configurations
> out there that use the "ssl" keyword, so removing the last bit of support for
> that option should be accompanied by or preceded by a warning on relevant
> mailing lists or at least in the commit message.
>
> And I think undeadly.org would be more than happy to help spread the word :)
current.html entry should do for a deprecated keyword we've been warning
about for almost ten years... I've checked faq/upgrade*.html for previous
notes, but couldn't find any.
Here's a first try, relayd regress is also happy.
Index: usr.sbin/relayd/parse.y
===================================================================
RCS file: /cvs/src/usr.sbin/relayd/parse.y,v
retrieving revision 1.254
diff -u -p -r1.254 parse.y
--- usr.sbin/relayd/parse.y 3 Jul 2023 09:38:08 -0000 1.254
+++ usr.sbin/relayd/parse.y 26 Oct 2023 06:07:08 -0000
@@ -175,7 +175,7 @@ typedef struct {
%token LOOKUP METHOD MODE NAT NO DESTINATION NODELAY NOTHING ON PARENT PATH
%token PFTAG PORT PREFORK PRIORITY PROTO QUERYSTR REAL REDIRECT RELAY REMOVE
%token REQUEST RESPONSE RETRY QUICK RETURN ROUNDROBIN ROUTE SACK SCRIPT SEND
-%token SESSION SOCKET SPLICE SSL STICKYADDR STRIP STYLE TABLE TAG TAGGED TCP
+%token SESSION SOCKET SPLICE STICKYADDR STRIP STYLE TABLE TAG TAGGED TCP
%token TIMEOUT TLS TO ROUTER RTLABEL TRANSPARENT URL WITH TTL RTABLE
%token MATCH PARAMS RANDOM LEASTSTATES SRCHASH KEY CERTIFICATE PASSWORD ECDHE
%token EDH TICKETS CONNECTION CONNECTIONS CONTEXT ERRORS STATE CHANGES CHECKS
@@ -227,21 +227,12 @@ include : INCLUDE STRING {
}
;
-ssltls : SSL {
- log_warnx("%s:%d: %s",
- file->name, yylval.lineno,
- "please use the \"tls\" keyword"
- " instead of \"ssl\"");
- }
- | TLS
- ;
-
opttls : /*empty*/ { $$ = 0; }
- | ssltls { $$ = 1; }
+ | TLS { $$ = 1; }
;
opttlsclient : /*empty*/ { $$ = 0; }
- | WITH ssltls { $$ = 1; }
+ | WITH TLS { $$ = 1; }
;
http_type : HTTP { $$ = 0; }
@@ -905,7 +896,7 @@ hashkey : /* empty */ {
tablecheck : ICMP { table->conf.check = CHECK_ICMP; }
| TCP { table->conf.check = CHECK_TCP; }
- | ssltls {
+ | TLS {
table->conf.check = CHECK_TCP;
conf->sc_conf.flags |= F_TLS;
table->conf.flags |= F_TLS;
@@ -1114,7 +1105,7 @@ protopts_l : protopts_l protoptsl nl
| protoptsl optnl
;
-protoptsl : ssltls {
+protoptsl : TLS {
if (!(proto->type == RELAY_PROTO_TCP ||
proto->type == RELAY_PROTO_HTTP)) {
yyerror("can set tls options only for "
@@ -1122,7 +1113,7 @@ protoptsl : ssltls {
YYERROR;
}
} tlsflags
- | ssltls {
+ | TLS {
if (!(proto->type == RELAY_PROTO_TCP ||
proto->type == RELAY_PROTO_HTTP)) {
yyerror("can set tls options only for "
@@ -2492,7 +2483,6 @@ lookup(char *s)
{ "socket", SOCKET },
{ "source-hash", SRCHASH },
{ "splice", SPLICE },
- { "ssl", SSL },
{ "state", STATE },
{ "sticky-address", STICKYADDR },
{ "strip", STRIP },
Index: usr.sbin/relayd/relay.c
===================================================================
RCS file: /cvs/src/usr.sbin/relayd/relay.c,v
retrieving revision 1.257
diff -u -p -r1.257 relay.c
--- usr.sbin/relayd/relay.c 3 Sep 2023 10:22:03 -0000 1.257
+++ usr.sbin/relayd/relay.c 26 Oct 2023 05:49:22 -0000
@@ -2064,7 +2064,7 @@ relay_tls_ctx_create_proto(struct protoc
{
uint32_t protocols = 0;
- /* Set the allowed SSL protocols */
+ /* Set the allowed TLS protocols */
if (proto->tlsflags & TLSFLAG_TLSV1_2)
protocols |= TLS_PROTOCOL_TLSv1_2;
if (proto->tlsflags & TLSFLAG_TLSV1_3)
@@ -2186,7 +2186,7 @@ relay_tls_ctx_create(struct relay *rlay)
/*
* Use the public key as the "private" key - the secret key
* parameters are hidden in an extra process that will be
- * contacted by the RSA engine. The SSL/TLS library needs at
+ * contacted by the RSA engine. The TLS library needs at
* least the public key parameters in the current process.
*/
tls_config_use_fake_private_key(tls_cfg);
Index: usr.sbin/relayd/relayd.conf.5
===================================================================
RCS file: /cvs/src/usr.sbin/relayd/relayd.conf.5,v
retrieving revision 1.206
diff -u -p -r1.206 relayd.conf.5
--- usr.sbin/relayd/relayd.conf.5 6 Jun 2023 15:16:52 -0000 1.206
+++ usr.sbin/relayd/relayd.conf.5 26 Oct 2023 06:18:10 -0000
@@ -728,8 +728,6 @@ In addition to plain TCP,
.Xr relayd 8
supports the Transport Layer Security (TLS) cryptographic protocol for
authenticated and encrypted relays.
-TLS is the successor of the original Secure Sockets Layer (SSL) protocol,
-but the term SSL is sometimes still used in modern TLS-based applications.
.Xr relayd 8
can operate as a TLS client or server to offer a variety of options
for different use cases related to TLS.
@@ -758,7 +756,7 @@ statements,
.Xr relayd 8
will accept connections from clients as a TLS server.
This mode is also known as
-.Dq SSL/TLS acceleration .
+.Dq TLS acceleration .
See the
.Ic listen on
description in the
@@ -947,7 +945,7 @@ If not specified, the default value
will be used (strong crypto cipher suites without anonymous DH).
See the CIPHERS section of
.Xr openssl 1
-for information about SSL/TLS cipher suites and preference lists.
+for information about TLS cipher suites and preference lists.
.It Ic client-renegotiation
Allow client-initiated renegotiation.
To mitigate a potential DoS risk,
@@ -994,7 +992,7 @@ a keypair will be loaded using the speci
.Ar name .
See
.Xr ssl 8
-for details about SSL/TLS server certificates.
+for details about TLS server certificates.
.Pp
An optional OCSP staple file will be used during TLS handshakes with
this server if it is found as a non-empty file in
@@ -1621,7 +1619,7 @@ http protocol httpfilter {
match label "Prohibited!"
block url "social.network.example.com/"
- # New configuration directives for SSL/TLS Interception
+ # New configuration directives for TLS Interception
tls ca key "/etc/ssl/private/ca.key" password "password123"
tls ca cert "/etc/ssl/ca.crt"
}
Index: usr.sbin/httpd/httpd.conf.5
===================================================================
RCS file: /cvs/src/usr.sbin/httpd/httpd.conf.5,v
retrieving revision 1.123
diff -u -p -r1.123 httpd.conf.5
--- usr.sbin/httpd/httpd.conf.5 17 Aug 2023 07:25:57 -0000 1.123
+++ usr.sbin/httpd/httpd.conf.5 26 Oct 2023 06:18:27 -0000
@@ -649,7 +649,7 @@ If not specified, the default value
will be used (strong crypto cipher suites without anonymous DH).
See the CIPHERS section of
.Xr openssl 1
-for information about SSL/TLS cipher suites and preference lists.
+for information about TLS cipher suites and preference lists.
.It Ic client ca Ar cafile Oo Ic crl Ar crlfile Oc Op Ic optional
Require
.Po
Index: etc/examples//relayd.conf
===================================================================
RCS file: /cvs/src/etc/examples/relayd.conf,v
retrieving revision 1.5
diff -u -p -r1.5 relayd.conf
--- etc/examples//relayd.conf 6 May 2018 20:56:55 -0000 1.5
+++ etc/examples//relayd.conf 26 Oct 2023 05:47:17 -0000
@@ -34,7 +34,7 @@ redirect www {
}
#
-# Relay and protocol for HTTP layer 7 loadbalancing and SSL/TLS acceleration
+# Relay and protocol for HTTP layer 7 loadbalancing and TLS acceleration
#
http protocol https {
match request header append "X-Forwarded-For" value "$REMOTE_ADDR"
@@ -50,7 +50,7 @@ http protocol https {
}
relay wwwtls {
- # Run as a SSL/TLS accelerator
+ # Run as a TLS accelerator
listen on $ext_addr port 443 tls
protocol https
