Replace silent kv_extend normalisation with an unconditional 400. RFC 9112 5.2 explicitly permits rejection; it is the safer choice over SP replacement, which hides parser ambiguity downstream.

While there, add error checks for X509_set_{pubkey,issuer_name}(). From Marc Jorge

relayd is missing this method from the WebDAV/CalDAV extensions. This causes issues when using relayd as a reverse proxy in front of CalDAV servers like Nextcloud. OK kirill@

feedback and OK tb@

relayd supports interface name, DNS hostname or interface group at listen on but it binds only to the first discovered IP address which is usually IPv4. Here I changed parser to create a dedicated listener for each discovered and confiugred on a local inerface address. This means that listen on egress port 80 binds to all IPv4 and IPv6 addresses on the egress group. OK: rsadowski@

RFC 9112 section 6.3 specifies that responses to HEAD requests, and responses with 1xx, 204, or 304 status codes, are terminated by the empty line after the header section regardless of Content-Length or Transfer-Encoding. They cannot contain a message body or trailer section. Teach relayd to apply that framing rule before deciding whether a response body is bounded. Otherwise relayd treats these responses as unbounded, adds Connection: close, and can forward both the backend's Connection: keep-alive and its own Connection: close. Tweaks and OK: rsadowski@

This replaces bzero with explicit_bzero in the SSL password callback. Since ssl_password_cb handles sensitive data a standard bzero could be optimized away by the compiler. Additionally, this ensures the buffer is cleared if strlcpy fails due to truncation, preventing password fragments from lingering in memory. OK renaud@, kirill@

Extend the "keypair" keyword in relayd.conf to support optional explicit paths. Previously, relayd enforced a naming convention, looking up files in /etc/ssl and /etc/ssl/private based on the keypair name. This change allows other applications to manage their certificates without having to comply with relayd's internal naming logic. Input and OK kirill@, help form tb@

Fix a bug in relay_inherit() which runs only relay_load_certfiles(conf, rb, NULL) unconditionally which isn't alligned with logic in parser when it parses relay block, where multiple certificates are load as relay_load_certfiles(conf, rb, NULL) only if here no tlscerts (for default host) and otherwise it loads keypairs. OK: rsadowski@