Re: Certificate order

Tue, 18 Apr 2017 02:30:04 -0700 

Hi!

Not being very familiar with the code, so I thought I’d ask before something 
changes unexpectedly :)
I asked about certificate ordering a while ago, too, and I seem to remember 
(and we currently rely on this) that exact domain matches are “weighted higher” 
than wildcard matches on purpose, so that if I just dump the certificates in a 
directory, it will pick a more specific one over a wildcard that is also there 
as a “catchall”.

Not saying one or the other is right or wrong, but if this should be merged, it 
must be made very clear that people might have to change their setups.

Daniel



-- 
Daniel Schneller
Principal Cloud Engineer
 
CenterDevice GmbH                  | Hochstraße 11
                                   | 42697 Solingen
tel: +49 1754155711                | Deutschland
daniel.schnel...@centerdevice.de   | www.centerdevice.de

Geschäftsführung: Dr. Patrick Peschlow, Dr. Lukas Pustina,
Michael Rosbach, Handelsregister-Nr.: HRB 18655,
HR-Gericht: Bonn, USt-IdNr.: DE-815299431


> On 10. Apr. 2017, at 20:02, Sander Hoentjen <san...@hoentjen.eu> wrote:
> 
> This is a corrected patch against 1.7.5.
> 
> On 04/10/2017 05:00 PM, Sander Hoentjen wrote:
>> No scratch that, this is wrong.
>> 
>> On 04/10/2017 04:57 PM, Sander Hoentjen wrote:
>>> The attached patch against haproxy 1.7.5 honours crt order also for
>>> wildcards.
>>> 
>>> On 04/07/2017 03:42 PM, Sander Hoentjen wrote:
>>>> Hi Sander,
>>>> 
>>>> On 04/06/2017 02:06 PM, Sander Klein wrote:
>>>>> Hi Sander,
>>>>> 
>>>>> On 2017-04-06 10:45, Sander Hoentjen wrote:
>>>>>> Hi guys,
>>>>>> 
>>>>>> We have a setup where we sometimes have multiple certificates for a
>>>>>> domain. We use multiple directories for that and would like the
>>>>>> following behavior:
>>>>>> - Look in dir A for any match, use it if found
>>>>>> - Look in dir B for any match, use it if found
>>>>>> - Look in dir .. etc
>>>>>> 
>>>>>> This works great, except for wildcards. Right now a domain match in dir
>>>>>> B takes precedence over a wildcard match in dir A.
>>>>>> 
>>>>>> Is there a way to get haproxy to behave the way I describe?
>>>>> I have been playing with this some time ago and my solution was to
>>>>> just think about the order of certificate loading. I then found out
>>>>> that the last certificate was preferred if it matched. Not sure if
>>>>> this has changed over time.
>>>> This does not work for wildcard certs, it seems they are always tried last.
>>>> 
>>>> Regards,
>>>> Sander
>>>> 
>> 
> 
> <haproxy-wildcards.patch>

Reply via email to