commit e64b43bec6df27f7e951b1c8878d1898928966b2
from: kirill <kirill@openbsd.org>
date: Mon Apr  6 09:14:54 2026 UTC

relayd: support TLS with multiple listeners

Fix a bug in relay_inherit() which runs only
relay_load_certfiles(conf, rb, NULL) unconditionally which isn't
alligned with logic in parser when it parses relay block, where multiple
certificates are load as relay_load_certfiles(conf, rb, NULL) only if
here no tlscerts (for default host) and otherwise it loads keypairs.

OK: rsadowski@

commit - 0c9dbe77378362ddd333790c3b291fd5b8e940ed
commit + e64b43bec6df27f7e951b1c8878d1898928966b2
blob - eaa7c2cbe1787c2069950b19999449c2adbe89e4
blob + 6c3d538ed4e09c5b81ac4bf4e384ded17b27ee87
--- parse.y
+++ parse.y
@@ -1,4 +1,4 @@
-/*	$OpenBSD: parse.y,v 1.261 2026/03/03 19:51:41 rsadowski Exp $	*/
+/*	$OpenBSD: parse.y,v 1.262 2026/04/06 09:14:54 kirill Exp $	*/
 
 /*
  * Copyright (c) 2007 - 2014 Reyk Floeter <reyk@openbsd.org>
@@ -3409,6 +3409,7 @@ struct relay *
 relay_inherit(struct relay *ra, struct relay *rb)
 {
 	struct relay_config	 rc;
+	struct keyname		*name;
 	struct relay_table	*rta, *rtb;
 
 	bcopy(&rb->rl_conf, &rc, sizeof(rc));
@@ -3444,11 +3445,19 @@ relay_inherit(struct relay *ra, struct relay *rb)
 		goto err;
 	}
 
-	if (relay_load_certfiles(conf, rb, NULL) == -1) {
+	if (TAILQ_EMPTY(&rb->rl_proto->tlscerts) &&
+	    relay_load_certfiles(conf, rb, NULL) == -1) {
 		yyerror("cannot load certificates for relay %s",
 		    rb->rl_conf.name);
 		goto err;
 	}
+	TAILQ_FOREACH(name, &rb->rl_proto->tlscerts, entry) {
+		if (relay_load_certfiles(conf, rb, name->name) == -1) {
+			yyerror("cannot load keypair %s for relay %s",
+			    name->name, rb->rl_conf.name);
+			goto err;
+		}
+	}
 
 	TAILQ_FOREACH(rta, &ra->rl_tables, rlt_entry) {
 		if ((rtb = calloc(1, sizeof(*rtb))) == NULL) {