Matthieu Herrb <matthieu@openbsd.org> wrote:

> On Mon, Jul 14, 2025 at 03:29:27PM +0200, Theo Buehler wrote:
> > matthieu mentioned that this might be useful, so I whipped up a port.
> > Fortunately volker and I already prepared patches for an xonly issue
> > in aws-l2c so it should be fine in that regard.
> > 
> > This port builds and passes tests on amd64. I can test this way on
> > aarch64, but I can't really run test this from where I am right now.
> > 
> > This probably needs a dedicated user and rc setup. I hope someone can
> > save me some time by telling me what to do here (or where to copy from).
> >
> 
> Thanks.
> 
> The binary works with a simple rc.d file to run it as root. 
> 
> Unfortunatly after this initial sucessful testing, I figured out there
> are some features that are either missing or adverse to making a good
> ports candidate :
> 
> - it cannot run with reduced privileges unless it only listens to
>   ports > 1024, needing pf level redirects to get 443 ou 80.
> - for the same reason it cannot read a private key unless a shared
>   group is setup to own the key
> - since it watches on its config file changes to reload itself
>   automatically, implementing some forme of privilege dropping will
>   probaby break this feature.
> - also it cannot listen on both IPv4 and IPv6 sockets; it relies on
>   Linux default behaviour of v6 sockets accepting v4 connexions too.

everything is a nail