> Le 28 juil. 2017 à 18:43, Willy Tarreau <[email protected]> a écrit : > > On Fri, Jul 28, 2017 at 06:01:10PM +0200, Emmanuel Hocdet wrote: >> >>> Le 28 juil. 2017 à 17:48, Emmanuel Hocdet <[email protected]> a écrit : >>> I propose: >>> strict_sni is set and generated_cert is not set: default_cert is optional >>> (with or without warning?) >>> else default_cert is required >> >> to be exact: >> /default_cert/have at least one certificate in bind configuration/ > > I understood just before this sentence :-) ok :-)
> I think it's fine not to have a default_cert if not needed The default_cert is always set with the first certificate. The default_cert is used if no certificate match sni. With strict-sni, the default_cert is never used as this. With strict-sni, fail on ssl connection is ok. Have no certificate in bind line fail on all ssl connection. It’s ok with the behavior of strict-sni. > (strict_sni && !generate). I don't know if it complicates anything > or not though. I think is not. I'm on holiday for a week, i'll look at this after. ++ Manu
