Dear community,

we are using the crt-list for different mTLS configs with the same certificate. 
I’d like to align on some details combining wildcard and tenant-specific SNIs.

>From current experiments with 2.7.10, the order of the crt-list seems not to 
>matter but the best-fitting SNI is chosen:
# crt-list:
/my-domain.pem [verify none] *.my.domain
/my-domain.pem [verify optional ca-file /some-ca.pem]
# connection to offers no CAs as expected
# connection to offers the CA as desired

IIRC, this was different in the past, the wildcard entry was used and also no 
CAs were offered for test123.

Does somebody have more implementation details on this? Can I rely on my 
observations for all crt-list properties, like ciphers and others?

Best regards,

Reply via email to