Wonderful! Thank you.
Looks like both the default behavior will work, and it has full capability for
manual control if needed. Nicely built!
-- Nathan
On 01/22/2015 01:31 PM, Lukas Tribus wrote:
Similar question for certs with SANs - does it consider the
alternative names in the selection process?
Yes, as per the doc:
The certificates will be presented to clients who provide a
valid TLS Server Name Indication field matching one of
their CN or *alt subjects*.
And lastly, what if I want "everything without a specific cert to
use cert X, even though hostname doesn't match".
Unless you use strict-sni [1], there will be default certificate,
which is used in case the client doesn't provide a SNI value.
If you really have exotic requirements, you can just map the
certificates yourself with a crt-list [2].
Lukas
[1] http://cbonte.github.io/haproxy-dconv/configuration-1.5.html#5.1-strict-sni
[2] http://cbonte.github.io/haproxy-dconv/configuration-1.5.html#5.1-crt-list
--
------------------------------------------------------------
Nathan Neulinger nn...@neulinger.org
Neulinger Consulting (573) 612-1412