Both relayd(8) and httpd(8) now have the "secure" list of allowed crypto methods for HTTPS, which include TLSv1.3 and the TLSv1.2 AEAD cipher suites. The previous list was "HIGH:!aNULL" which contain non-perfect-forward-security methods and this change may cause old clients to not be able to connect.

We almost missed this in a flurry of commits by Jonathan gray (jsg@), but following this commit, OpenBSD/amd64 kernels now have a 512GB address space.

The commit message innocently reads,

List:       openbsd-cvs
Subject:    CVS: cvs.openbsd.org: src
From:       Jonathan Gray <jsg () cvs ! openbsd ! org>
Date:       2026-06-22 0:27:33
Message-ID: 162f075352ec66cd () cvs ! openbsd ! org

CVSROOT:	/cvs
Module name:	src
Changes by:	jsg@cvs.openbsd.org	2026/06/21 18:27:33

Modified files:
	sys/arch/amd64/include: vmparam.h 

Log message:
raise the size of amd64 kernel virtual address space from 4G to 512G

In OpenBSD, the syslogd(8) system logger has already for a while now fork(2)ed the privileged from the non-privileged parts.

Now Alexander Bluhm (bluhm@) decided it's time to split these parts into separate binaries in order to provide even better separation. The final commit message reads,

List:       openbsd-cvs
Subject:    CVS: cvs.openbsd.org: src
From:       Alexander Bluhm <bluhm () openbsd ! org>
Date:       2026-06-11 15:41:33

CVSROOT:	/cvs
Module name:	src
Changes by:	bluhm@cvs.openbsd.org	2026/06/11 09:41:33

Modified files:
	usr.sbin/syslogd: Makefile privsep.c syslogd.c syslogd.h 
	etc/rc.d       : syslogd 
Added files:
	usr.sbin/syslogd: Makefile.inc parent.c 
	usr.sbin/syslogd/parent: Makefile 
	usr.sbin/syslogd/syslogd: Makefile 

Log message:
Provide a separate executable file for syslogd parent.

Random order relinking of critical components is an OpenBSD feature specifically designed to make it harder to exploit bugs in the resulting binary. sshd(8) was the first of the network-facing daemons to get the random treatment (see this previous report).

Now in a series of commits that split one daemon (smptd(8)) into six separate binaries, Theo de Raadt (deraadt@) is bringing httpd(8) and smptd(8), both common in network facing configrations, into the random relink at boot fold.

httpd(8) was the first of the two:

In -current, Robert Nagy (robert@) updated clang(1), llvm, and lld(1) to version 22.1.6:
https://marc.info/?l=openbsd-cvs&m=178005264089753&w=2
https://marc.info/?l=openbsd-cvs&m=178005271889792&w=2
https://marc.info/?l=openbsd-cvs&m=178005276789832&w=2

Yes, that's a lot of churn, all for the better we think.

Work on ports compliance continues.

The LibreSSL project has announced the release of version 4.3.2 of the software.

The release notes are as follows:

Version 0.126 of Game of Trees has been released (and the port updated). Complete release notes are as follows:

The OpenBSD project has announced OpenBSD 7.9, its 60^th release.

The new release contains a number of significant improvements, including but certainly not limited to:

• MAXCPU value on OpenBSD/amd64 increased to 255 [See earlier report]
• Preparations for supporting 52 disk partitions [See earlier report]
• Introduced selective blocking of cores from the scheduler with sysctl hw.blockcpu [See earlier report]
• Delayed hibernation support on OpenBSD/amd64 laptops [See earlier report]
• On amd64, implemented delayed hiberation [See earlier report]
• Parallel fault handling enabled on amd64 and arm64 platforms
• drm(4) code updated to linux 6.18.16 [See earlier report]
• Added sysctl(8) machdep.vmmode to indicate status as a host or guest [See commit]
• Added vmboot (on amd64), a tiny kernel for booting SEV VMs, which allows sysupgrade(8) to work [See commit]
• Made OpenBSD run as a guest under Apple Hypervisor [See earlier report]
• Converted vmd(8)'s virtio scsi device to a subprocess [See earlier report]
• Added nhi(4), a driver for USB4 controllers, which allows modern laptops with AMD CPUs to reach the appropriate low power idle states during S0ix suspend. [See commit]
• Added basic implementation of the low-level FUSE API
• Improved sysugprade(8) handling of low disk space in /usr [See earlier report]
• fw_update(8) now checks dmesg(8) output in addition to dmesg.boot [See earlier report]
• On amd64, added support for loading kernels from the EFI system partition [See commit]
• The pledge(2) "tmppath" promise has been retired [See earlier reports]
• Enabled IPv6 autoconf [SLAAC] by default in installer [See commit]
• Private VLAN (PVLAN) support added to veb(4) [See commit]
• LACP support removed from trunk(4) [See earlier report]
• Multiple pf(4) enhancements:
  • Source and state limiters introduced [See earlier report]
  • Print both nat-to and rdr-to in pfctl -s rules
• Added httpd.conf(5) "no banner" configuration directive to suppress generation of "Server" header [See commit]
• In relayd(8), added support for PROXY protocol in TCP relays
• In acme-client(1), added support for IP Address certificates
• OpenBGPD 9.1 [See earlier reports on releases of versions 9.0 & 9.1]
• rpki-client 9.8 [See earlier reports on releases of versions 9.7 & 9.8]
• LibreSSL 4.3.1 [See earlier report]
• OpenSSH 10.3 [See earlier report]
  • Several security enhancements were added
  • Added ssh(1) escape ~I showing information about the current SSH connection [See commit]
• chromium (and derivatives) gained VA-API support [See earlier report]
• chromium (and derivatives) gained (Open) Widevine support support [See earlier report]

See the full changelog for more details of the changes made over this latest six month development cycle.

The Installation Guide details how to get the system up and running with a fresh install, while those who already run earlier releases should follow the Upgrade Guide, in most cases using sysupgrade(8).

Readers are encouraged to celebrate the new release by donating to the project to support further development of our favourite OS!

Like (we suspect) quite a few of our readers, undeadly.org co-editor Peter Hansteen runs a mail service and settled on exim as the reasonable alternative to the classic sendmail way back when.

However, that software has had its share of security issues over the years, and during the preparations for the OpenBSD 7.9 release, the ports maintainers decided that

"History of security issues + setuid root is a terrible combo."

and it was time to remove exim from the packages collection.

This meant that the mail service needed to migrate to something else, and Peter wrote up a short article about migrating a multi-domain, multi-site setup to smtpd: OpenSMTPD Is The Mail Server For The Future. The article has a working configuration and advice on how to proceed.