Hello, On Fri, Nov 25, Willy Tarreau wrote: > - support of multi-certs : different certificates for a same domain so > that the best one can be picked according to browser support. The main > use is to be able to deliver ECDSA certificates to clients supporting > them, without breaking compatibility with older clients.
Does this multi-certs functionality depend on certain openssl version (does it need >= 1.0.2 to load different ca path for rsa / ecdsa certs) ? Cloudflare describes in this blog post: https://blog.cloudflare.com/tls-certificate-optimization-technical-details/ How they decide which certificate to use. Does haproxy with multi-certs use similar logic to decide between rsa / ecdsa cert ? -Jarno PS. BTW, when upgrading from 1.5.x to 1.6.x or 1.7.x I noticed a minor compatability difference with Content-Security-Policy headers: with 1.5.x I had: http-response set-header Content-Security-Policy connect-src\ 'self'\ https://some.host... With 1.6.x/1.7.x clients see this as: connect-src self https://some.host... (Missing '' around self). Changing this to: http-response set-header Content-Security-Policy "connect-src 'self' https://some.host..." works with 1.6.x/1.7.x. -- Jarno Huuskonen