> Similar question for certs with SANs - does it consider the
> alternative names in the selection process?

Yes, as per the doc:
> The certificates will be presented to clients who provide a
> valid TLS Server Name Indication field matching one of
> their CN or *alt subjects*.



> And lastly, what if I want "everything without a specific cert to
> use cert X, even though hostname doesn't match".

Unless you use strict-sni [1], there will be default certificate,
which is used in case the client doesn't provide a SNI value.

If you really have exotic requirements, you can just map the
certificates yourself with a crt-list [2].


Lukas



[1] http://cbonte.github.io/haproxy-dconv/configuration-1.5.html#5.1-strict-sni
[2] http://cbonte.github.io/haproxy-dconv/configuration-1.5.html#5.1-crt-list
                                          

Reply via email to