On Sat, Aug 15, 2020 at 04:09:14PM +0200, William Lallemand wrote: > On Fri, Aug 14, 2020 at 07:23:36PM +0200, Willy Tarreau wrote: > > Another long-standing issue was addressed by William today, regarding how > > filters "work" in crt-lists. When using an exclusion they don't work well > > because instead of using a list of exclusions, a lookup is performed and > > the matching entry is skipped. While that might work in certain cases > > (single entry for a given cert), there are situations where it cannot work > > like when this is used to exclude certain servernames from certain cert > > types. Thus William reworked that so that it really does what the doc > > says and what the syntax suggests. It should not have any visible effect > > for all those who were not subject to the problem, but might possibly > > reveal issues in certain broken configs that were working by accident > > (i.e. the desired cert is broken and not used and might suddenly be > > exposed). If you're using crt-lists with exlusions, you're welcome to > > verify that it's still OK for you. After some time this fix will be > > backported so that users don't get trapped anymore, but we'll have to > > delay this to avoid bad surprises. > > There is indeed a problem which was identified with the exclusions, but > the current commits fix another problem (issue #810). The problem lies > in the lookup of the SNIs, if a SNI with a single name is found, it > won't try to lookup for a wildcard, which is a problem if you use a > single name certificate for ECDSA and a wildcard for the RSA > certificate. This bug was introduced quite recently and backported as > far as 1.8 in december 2019... > > But this is not a fix for the negative filters, that should also be > fixed but need a rework of the filters.
OK, then sorry for confusing the two and thanks for clarifying. Willy
