mirror of
http://git.haproxy.org/git/haproxy.git/
synced 2024-12-24 05:32:21 +00:00
e51fab0a4a
HAProxy uses CN and SAN of the certificates to match incoming SNI, and use the matching certificate in the TLS handshake. `crt-list` goes further and allows to configure SNI filters to explicitly define the FQDNs that should match a certificate. The first declared certificate of the `crt-list` option follows the same rules, and it's also used as a fallback - the certificate that should be used if SNI isn't provided or the provided one cannot match any certificate or SNI filter. If a provided SNI matches the CN or SAN of the first certificate, the first certificate would be used even if a matching SNI filter is declared later. This change clarifies this scenario and documents a filter that can be used to convert the first declared certificate as a proper fallback. Should be merged as far as the first SNI filter implementation. |
||
---|---|---|
.. | ||
design-thoughts | ||
internals | ||
lua-api | ||
51Degrees-device-detection.txt | ||
acl.fig | ||
architecture.txt | ||
close-options.txt | ||
coding-style.txt | ||
configuration.txt | ||
cookie-options.txt | ||
DeviceAtlas-device-detection.txt | ||
gpl.txt | ||
haproxy.1 | ||
intro.txt | ||
lgpl.txt | ||
linux-syn-cookies.txt | ||
lua.txt | ||
management.txt | ||
netscaler-client-ip-insertion-protocol.txt | ||
network-namespaces.txt | ||
peers-v2.0.txt | ||
peers.txt | ||
proxy-protocol.txt | ||
queuing.fig | ||
regression-testing.txt | ||
seamless_reload.txt | ||
SOCKS4.protocol.txt | ||
SPOE.txt | ||
WURFL-device-detection.txt |