Hi Daniel, On 01/25/2017 01:59 PM, Daniel Schneller wrote: > Hi! > > From the (1.6) configuration documentation I understand that for the “crt” > bind option all files in a directory will be read in alphabetical order > (exclusions through reserved extensions notwithstanding). > > It goes on to say > >> The certificates will be presented to clients who provide a >> valid TLS Server Name Indication field matching one of their CN or alt >> subjects. Wildcards are supported, where a wildcard character '*' is used >> instead of the first hostname component […] > > I am wondering what the precedence is if there are two certificates matching > a particular domain. > > Say I have two certificates available, one wildcard, and one Extended > Validation cert, named like this: > > cert_001.wildcard.mydomain.com.pem > cert_002.www.mydomain.crt.pem <http://www.mydomain.crt.pem> > > and a configuration like this > >> frontend web_ssl-sni-based > > bind 192.168.205.7:452 ssl crt /etc/haproxy/ssl/ > > Am I correct to assume (unfortunately I cannot try this out right now) that > if a request comes in for “www.mydomain.com <http://www.mydomain.com>” it > will get served with the wildcard certificate, because that one sorts first > by filename? Or is there some precedence implementation that would prefer the > more specific cert where the domain actually matches one of the the CN / SAN > fields?
Full qualified names and wildcard ones are stored in two different trees in memory. In the running process, the lookup is firstly performed on full qualified names tree and, only if not found, in the wildcard names tree. R, Emeric
