> Le 27 oct. 2017 à 15:02, Olivier Houchard <[email protected]> a écrit : > > The attached patch does use the ssl_conf, instead of abusing ssl_options. > I also added a new field in global_ssl, I wasn't so sure about this, but > decided people may want to enable 0RTT globally. > > Emmanuel, is this ok for you ? >
In global option seem a bad idea. My opinion about global ssl ‘options’ for bind. . Good fit is in ssl-default-bind-options. It can be extend to more options like generate-cert, strict-sni, …. (In this case have a kw_list will be good idea to have something better than parsing in if/then/else in ssl_parse_default_bind_options) . Some options have already 2 locations for configuration (bind line and per certificats), we really need a third? And some options are not really good candidate. ++ Manu
