On Fri, Jul 28, 2017 at 07:17:24PM +0200, Emmanuel Hocdet wrote: > > I think it's fine not to have a default_cert if not needed > > The default_cert is always set with the first certificate. > The default_cert is used if no certificate match sni. > With strict-sni, the default_cert is never used as this. > With strict-sni, fail on ssl connection is ok. > Have no certificate in bind line fail on all ssl connection. It's ok with the > behavior of strict-sni. > > > (strict_sni && !generate). I don't know if it complicates anything > > or not though. > > I think is not. > I'm on holiday for a week, i'll look at this after.
OK! No rush anyway, what matters is to have a clear mind on how we want all this stuff to work together. It's important to keep in mind that SSL combinations become a bit complex and I feel like over the last few months, we've caused various types of breakage by lacking a global view on all use cases, so it's good to let things cool down a bit after having identified them all. That tends to ignite more generic and cleaner designs. Cheers, Willy
