Hi Willy, Emeric, Christopher

The new patch is much simpler: 


Attachment: 0001-MINOR-ssl-allow-to-start-without-certificate-if-stri.patch
Description: Binary data

> Le 28 juil. 2017 à 23:24, Willy Tarreau <w...@1wt.eu> a écrit :
> On Fri, Jul 28, 2017 at 07:17:24PM +0200, Emmanuel Hocdet wrote:
>>> I think it's fine not to have a default_cert if not needed
>> The default_cert is always set with the first certificate.
>> The default_cert is used if no certificate match sni.
>> With strict-sni, the default_cert is never used as this.
>> With strict-sni, fail on ssl connection is ok.
>> Have no certificate in bind line fail on all ssl connection. It's ok with 
>> the behavior of strict-sni.
>>> (strict_sni && !generate). I don't know if it complicates anything
>>> or not though.
>> I think is not.
>> I'm on holiday for a week, i'll look at this after.
> OK! No rush anyway, what matters is to have a clear mind on how we want
> all this stuff to work together. It's important to keep in mind that SSL
> combinations become a bit complex and I feel like over the last few months,
> we've caused various types of breakage by lacking a global view on all use
> cases, so it's good to let things cool down a bit after having identified
> them all. That tends to ignite more generic and cleaner designs.
> Cheers,
> Willy

Reply via email to