On Fri, Nov 25, Willy Tarreau wrote:
>   - support of multi-certs : different certificates for a same domain so
>     that the best one can be picked according to browser support. The main
>     use is to be able to deliver ECDSA certificates to clients supporting
>     them, without breaking compatibility with older clients.

Does this multi-certs functionality depend on certain openssl version
(does it need >= 1.0.2 to load different ca path for rsa / ecdsa certs) ?

Cloudflare describes in this blog post:
How they decide which certificate to use.

Does haproxy with multi-certs use similar logic to decide between
rsa / ecdsa cert ?


PS. BTW, when upgrading from 1.5.x to 1.6.x or 1.7.x I noticed a minor
compatability difference with Content-Security-Policy headers:
with 1.5.x I had:
http-response set-header Content-Security-Policy connect-src\ 'self'\ 

With 1.6.x/1.7.x clients see this as: connect-src self https://some.host...
(Missing '' around self).

Changing this to:
http-response set-header Content-Security-Policy "connect-src 'self' 
works with 1.6.x/1.7.x.

Jarno Huuskonen

Reply via email to