> Em 21 de nov de 2020, à(s) 12:00, William Lallemand <[email protected]>
> escreveu:
>
> On Sat, Nov 21, 2020 at 07:48:48AM -0300, Joao Morais wrote:
>>
>> The attached patch adds some clarification on how one can declare a
>> proper fallback certificate using crt-list. Feel free to ask me to
>> tune verbosity to a higher or lower level.
>>
>
> That's actually a bit confusing, because the first line of a crt-list is
> not the default certificate. The default certificate is the first
> certificate declared on a bind line.
>
> For example:
>
> bind :443 ssl crt default.pem crt-list list1.crtlist
> bind :443 ssl crt-list list1.crtlist crt-list list2.crtlist
>
> In the first case, the fallback certificate will be "default.pem", and
> in the second case, it will be the fist line of "list1.crtlist”.
It’s indeed rather confusing, sorry about the mess.
Here is a new proposal of the last paragraph, how it sounds? - suggestions
welcome, note that I’m not very familiar with english
====
The first declared certificate of a bind line is used as the default
certificate, either from crt or crt-list option, which haproxy should use in
the TLS handshake if no other certificate matches. This certificate will also
be used if the provided SNI matches its CN or SAN, even if a matching SNI
filter is found on any crt-list. The SNI filter !* can be used after the first
declared certificate to not include its CN and SAN in the SNI tree, so it will
never match except if no other certificate matches. This way the first
declared certificate act as a fallback.
