On Sat, Feb 1, 2014 at 1:12 PM, Reindl Harald <[email protected]>wrote:
> > > Am 01.02.2014 20:53, schrieb Leif Hedstrom: > >> On Feb 1, 2014, at 11:54 AM, James Peach <[email protected]> wrote: > >> > >>> On Feb 1, 2014, at 7:37 AM, Leif Hedstrom <[email protected]> wrote: > >>> > >>> Hi all, > >>> > >>> I just upgraded to latest master, and noticed that our behavior has > changed related to how certs are "negotiated". This is related to TS-2031 I > believe. > >>> > >>> What it meant for me was that I had to reorder a couple of rules in > ssl_multicert.config for the sites to work as expected. I'm sure this is a > pretty unusual case, so I'm probably ok to just document this (visibly, in > the v4.2.0 release) notes. But I'm interested to hear what others using SSL > has to say about this? It technically does break backwards compatibility, > since a config that used to work with v4.1.3 will not work with v4.2.0. > >>> > >>> Or should we play it safe, and move TS-2031 over to 5.0.x ? > >> > >> I'm not very clear on what happened; can you spell it out? > > > > I have two certs that matches www.ogre.com (one is is a wildcard). > After this change, I have to reorder the two lines in the config, to get > expected behavior > > i guess the non-wildcard on top to override the wildcard > in other words: the more specific wins > in that case -> go ahead -> perfect! > > not sure how the current behavior is, but if my guess is right > i would even go so far and call it a well deserved bugfix > > I think we all agree this is a bugfix that should go in, the issue is where in the release process it should be. Is this making something functional that was not before? Or is it just making the functionality more well defined? I think what Leif and I are really trying to avoid here is any unexpected behavior in a minor release that is going to be the LTS release.
