Hello Joao, On Sat, Nov 21, 2020 at 12:33:38PM -0300, Joao Morais wrote: > > It’s indeed rather confusing, sorry about the mess. > > Here is a new proposal of the last paragraph, how it sounds? - suggestions > welcome, note that I’m not very familiar with english > > ==== > > The first declared certificate of a bind line is used as the default > certificate, either from crt or crt-list option, which haproxy should use in > the TLS handshake if no other certificate matches. This certificate will > also > be used if the provided SNI matches its CN or SAN, even if a matching SNI > filter is found on any crt-list. The SNI filter !* can be used after the > first > declared certificate to not include its CN and SAN in the SNI tree, so it > will > never match except if no other certificate matches. This way the first > declared certificate act as a fallback.
It looks good in my opinion, can you make a new patch for it? Thanks -- William Lallemand