Skip to content


Introduce privsep for private keys:
Browse files Browse the repository at this point in the history
- Move RSA private keys to a new separate process instead of copying
them to the relays.  A custom RSA engine is used by the SSL/TLS code
of the relay processes to send RSA private key encryption/decryption
(also used for sign/verify) requests to the new "ca" processes instead
of operating on the private key directly.

- Each relay process gets its own related ca process.  Setting
"prefork 5" in the config file will spawn 10 processes (5 relay, 5
ca).  This diff also reduces the default number of relay processes
from 5 to 3 which should be suitable in most installations without a
very heavy load.

- Don't keep text versions of the keys in memory, parse them once and
keep the binary representation.  This might still be the case in
OpenSSL's internals but will be fixed in the library.

This diff doesn't prevent something like "heartbleed" but adds an
additional mitigation to prevent leakage of the private keys from the
processes doing SSL/TLS.

With feedback from many
ok benno@
  • Loading branch information
reyk committed Apr 18, 2014
1 parent 669def5 commit 3d77879
Show file tree
Hide file tree
Showing 9 changed files with 652 additions and 100 deletions.
13 changes: 7 additions & 6 deletions usr.sbin/relayd/Makefile
Original file line number Diff line number Diff line change
@@ -1,11 +1,12 @@
# $OpenBSD: Makefile,v 1.25 2014/04/14 12:58:04 blambert Exp $
# $OpenBSD: Makefile,v 1.26 2014/04/18 13:55:26 reyk Exp $

PROG= relayd
SRCS= parse.y log.c control.c ssl.c ssl_privsep.c \
relayd.c pfe.c pfe_filter.c pfe_route.c hce.c relay.c \
relay_http.c relay_udp.c carp.c check_icmp.c check_tcp.c \
check_script.c name2id.c snmp.c shuffle.c proc.c config.c \
SRCS= parse.y
SRCS+= agentx.c ca.c carp.c check_icmp.c check_script.c \
check_tcp.c config.c control.c hce.c log.c name2id.c \
pfe.c pfe_filter.c pfe_route.c proc.c \
relay.c relay_http.c relay_udp.c relayd.c \
shuffle.c snmp.c ssl.c ssl_privsep.c
MAN= relayd.8 relayd.conf.5

LDADD= -levent -lssl -lcrypto -lutil
Expand Down

0 comments on commit 3d77879

Please sign in to comment.