> Em 24 de nov de 2020, à(s) 05:47, William Lallemand <wlallem...@haproxy.com> > escreveu: > > Hello Joao, > > On Sat, Nov 21, 2020 at 12:33:38PM -0300, Joao Morais wrote: >> >> It’s indeed rather confusing, sorry about the mess. >> >> Here is a new proposal of the last paragraph, how it sounds? - suggestions >> welcome, note that I’m not very familiar with english >> >> ==== >> >> The first declared certificate of a bind line is used as the default >> certificate, either from crt or crt-list option, which haproxy should use in >> the TLS handshake if no other certificate matches. This certificate will >> also >> be used if the provided SNI matches its CN or SAN, even if a matching SNI >> filter is found on any crt-list. The SNI filter !* can be used after the >> first >> declared certificate to not include its CN and SAN in the SNI tree, so it >> will >> never match except if no other certificate matches. This way the first >> declared certificate act as a fallback. > > It looks good in my opinion, can you make a new patch for it?
Sure! Attached a new patch on top of current master.
0001-DOC-better-describes-how-to-configure-a-fallback-crt.patch
Description: Binary data