Hey Willy On 12/3/15, 1:34 PM, "Willy Tarreau" <[email protected]> wrote:
> >I'm sorry but I'm missing something. In which case could we have the >choice >between multiple SSL_CTX ? My understanding is that if the SNI is not >found >in the list, we currenlty fall back to the default cert. Now the >difference >is supposed to be that for the "default cert" (maybe we should call it the >default name) we may have different certs depending on their types. Then I >don't understand where your example above fits. Sorry for being bold on >this, >I'm just at the user's level and want to understand how I'll know what >cert >is being presented by default. HAProxy will use the first ³crt² file that it loads as the default cert(represented by bind_conf->default_ctx). So, if you loaded multiple certs in one operation as your first cert, HAProxy will have to determine WHICH cert is the bind_conf->default_ctx. This operation happens during loading of the config, way before any users can connect. What I¹m saying is that the logic for loading multiple certs might generate multiple SSL_CTX¹s depending on CN/SAN overlap. In that case, it will pick the SSL_CTX that has the highest number of different key types and set it as bind_conf->default_ctx if bind_conf->default_ctx has not been set previously. Does that make sense? -Dave
