Hi Dave, On Thu, Dec 03, 2015 at 05:36:36PM +0000, Dave Zhu (yanbzhu) wrote: > On 12/3/15, 1:40 AM, "Willy Tarreau" <[email protected]> wrote: > > >I didn't understand what you meant with this last sentence, it sounds like > >there could be multiple default contexts which are more or less randomly > >chosen so that confuses me. > > Sorry if that was confusing. I was merely trying to indicate that the > logic to pick the default context will prefer SSL_CTX¹s with multiple keys > over SSL_CTX¹s with fewer keys. So for example: Lets say that after doing > the checks on all the names, we end up with 3 SSL_CTX¹s. One is for RSA > only names, one for ECDSA only names and one for shared names of RSA and > ECDSA. The code will use the shared SSL_CTX as the default SSL_CTX if none > has yet been set.
I'm sorry but I'm missing something. In which case could we have the choice between multiple SSL_CTX ? My understanding is that if the SNI is not found in the list, we currenlty fall back to the default cert. Now the difference is supposed to be that for the "default cert" (maybe we should call it the default name) we may have different certs depending on their types. Then I don't understand where your example above fits. Sorry for being bold on this, I'm just at the user's level and want to understand how I'll know what cert is being presented by default. Regards, Willy
