Dear community, we are using the crt-list for different mTLS configs with the same certificate. I’d like to align on some details combining wildcard and tenant-specific SNIs.
>From current experiments with 2.7.10, the order of the crt-list seems not to >matter but the best-fitting SNI is chosen: # crt-list: /my-domain.pem [verify none] *.my.domain /my-domain.pem [verify optional ca-file /some-ca.pem] test123.my.domain # connection to abc.my.domain offers no CAs as expected # connection to test123.my.domain offers the CA as desired IIRC, this was different in the past, the wildcard entry was used and also no CAs were offered for test123. Does somebody have more implementation details on this? Can I rely on my observations for all crt-list properties, like ciphers and others? Best regards, Patrick
