Hi Willy, Emeric, Christopher The new patch is much simpler:
++ Manu
0001-MINOR-ssl-allow-to-start-without-certificate-if-stri.patch
Description: Binary data
> Le 28 juil. 2017 à 23:24, Willy Tarreau <w...@1wt.eu> a écrit : > > On Fri, Jul 28, 2017 at 07:17:24PM +0200, Emmanuel Hocdet wrote: >>> I think it's fine not to have a default_cert if not needed >> >> The default_cert is always set with the first certificate. >> The default_cert is used if no certificate match sni. >> With strict-sni, the default_cert is never used as this. >> With strict-sni, fail on ssl connection is ok. >> Have no certificate in bind line fail on all ssl connection. It's ok with >> the behavior of strict-sni. >> >>> (strict_sni && !generate). I don't know if it complicates anything >>> or not though. >> >> I think is not. >> I'm on holiday for a week, i'll look at this after. > > OK! No rush anyway, what matters is to have a clear mind on how we want > all this stuff to work together. It's important to keep in mind that SSL > combinations become a bit complex and I feel like over the last few months, > we've caused various types of breakage by lacking a global view on all use > cases, so it's good to let things cool down a bit after having identified > them all. That tends to ignite more generic and cleaner designs. > > Cheers, > Willy >
