Hi Lukas, > Le 23 sept. 2016 à 18:41, Lukas Tribus <[email protected]> a écrit : > > Hi Manu, > > > Am 23.09.2016 um 16:31 schrieb Emmanuel Hocdet: >> Hi all, >> >> I propose to discuss an option to declare ssl options per certificat/SNI >> (instead of global one on bind directive). >> use cases will be to set alpn/verify/<other valid ssl option> per SNI. > > I think this would be useful and could simplify some configurations a lot, > but are you sure we can do this with the OpenSSL API? >
Basically, haproxy selects one SSL context with the SNI and call openssl for negotiation. The context is construct with cert, key, ssl options… part of this options is actually on bind_conf and could be per cert/SNI. Manu.

