You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
It appears that other tools can be used, but of course, the preference is to use built-in tools where possible. I'm afraid my programming skills are a bit weak, and thus cannot provide a diff for improving relayd. I was hoping that this would be a relatively easy update, or that I missed something in the documentation. Alternatively, if the update is infeasible, I propose a slight change to the documentation:
*** relayd.conf.8.orig Fri May 21 13:19:06 2021
--- relayd.conf.8 Fri May 21 13:23:09 2021
*** 500,506 ****
filter TLS connections as a man-in-the-middle. This combined
mode is also called "TLS inspection". The configuration requires
additional X.509 certificate settings; see the ca key description
! in the PROTOCOLS section for more details.
When configured for "TLS inspection" mode, relayd(8) will listen for
incoming connections which have been diverted to the local socket by PF.
--- 500,510 ----
filter TLS connections as a man-in-the-middle. This combined
mode is also called "TLS inspection". The configuration requires
additional X.509 certificate settings; see the ca key description
! in the PROTOCOLS section for more details. Note that this feature
! currently does not support Server Name Identification (SNI) making
! it inappropriate for use as a general Internet TLS Inspection
! gateway.
!
When configured for "TLS inspection" mode, relayd(8) will listen for
incoming connections which have been diverted to the local socket by PF.
The text was updated successfully, but these errors were encountered:
Relayd TLS Inspection does not support SNI, apparently.
The question was identified on openbsd-misc, and no-one provided further advice about how it may be configured.
https://marc.info/?l=openbsd-misc&m=162161980321486&w=2
It appears that other tools can be used, but of course, the preference is to use built-in tools where possible. I'm afraid my programming skills are a bit weak, and thus cannot provide a diff for improving relayd. I was hoping that this would be a relatively easy update, or that I missed something in the documentation. Alternatively, if the update is infeasible, I propose a slight change to the documentation:
*** relayd.conf.8.orig Fri May 21 13:19:06 2021
--- relayd.conf.8 Fri May 21 13:23:09 2021
*** 500,506 ****
filter TLS connections as a man-in-the-middle. This combined
mode is also called "TLS inspection". The configuration requires
additional X.509 certificate settings; see the ca key description
! in the PROTOCOLS section for more details.
When configured for "TLS inspection" mode, relayd(8) will listen for
incoming connections which have been diverted to the local socket by PF.
--- 500,510 ----
filter TLS connections as a man-in-the-middle. This combined
mode is also called "TLS inspection". The configuration requires
additional X.509 certificate settings; see the ca key description
! in the PROTOCOLS section for more details. Note that this feature
! currently does not support Server Name Identification (SNI) making
! it inappropriate for use as a general Internet TLS Inspection
! gateway.
!
When configured for "TLS inspection" mode, relayd(8) will listen for
incoming connections which have been diverted to the local socket by PF.
The text was updated successfully, but these errors were encountered: