Hi Olivier, Olivier Doucet wrote: > Is there a way to not present the first loaded certificate and refuse > connection instead ?
You can use the strict-sni argument on the bind line to force the client to speak SNI and refuse the TLS handshake otherwise. See the documentation for details at http://cbonte.github.io/haproxy-dconv/configuration-1.6.html#5.1-strict-sni --Holger