On Thu, Dec 03, 2015 at 07:24:10PM +0000, Dave Zhu (yanbzhu) wrote: > HAProxy will use the first ³crt² file that it loads as the default > cert(represented by bind_conf->default_ctx). > > So, if you loaded multiple certs in one operation as your first cert, > HAProxy will have to determine WHICH cert is the bind_conf->default_ctx. > This operation happens during loading of the config, way before any users > can connect.
Ah indeed, I had not thought about that. > What I¹m saying is that the logic for loading multiple certs might > generate multiple SSL_CTX¹s depending on CN/SAN overlap. In that case, it > will pick the SSL_CTX that has the highest number of different key types > and set it as bind_conf->default_ctx if bind_conf->default_ctx has not > been set previously. > > Does that make sense? Yes it does. I just feel that it adds some uncertainty (for the admin) regarding the choice and that the risk that the default one changes will change as individual certs are expired/renewed/updated/replaced. Maybe at some point we'll have to make it possible to specify (or to document) the selection order so that it's stable in time and easy to determine. By the way this ordering may be required as well for other certs if some people decide for example to suddenly make RSA picked before ECDSA (if a vulnerability is reported or whatever for example). Then in this case we could use the same selection rules. Thanks for your clear explanation! Willy
