Re: [PATCH] DOC: clarify how to create a fallback crt
On Tue, Nov 24, 2020 at 08:59:05AM -0300, Joao Morais wrote: > > > > Em 24 de nov de 2020, à(s) 05:47, William Lallemand > > escreveu: > > > > Hello Joao, > > > > On Sat, Nov 21, 2020 at 12:33:38PM -0300, Joao Morais wrote: > >> > >> It’s indeed rather confusing, sorry about the mess. > >> > >> Here is a new proposal of the last paragraph, how it sounds? - suggestions > >> welcome, note that I’m not very familiar with english > >> > >> > >> > >> The first declared certificate of a bind line is used as the default > >> certificate, either from crt or crt-list option, which haproxy should use > >> in > >> the TLS handshake if no other certificate matches. This certificate will > >> also > >> be used if the provided SNI matches its CN or SAN, even if a matching SNI > >> filter is found on any crt-list. The SNI filter !* can be used after the > >> first > >> declared certificate to not include its CN and SAN in the SNI tree, so it > >> will > >> never match except if no other certificate matches. This way the first > >> declared certificate act as a fallback. > > > > It looks good in my opinion, can you make a new patch for it? > > Sure! Attached a new patch on top of current master. > Merged, thanks! -- William Lallemand
Re: [PATCH] DOC: clarify how to create a fallback crt
> Em 24 de nov de 2020, à(s) 05:47, William Lallemand > escreveu: > > Hello Joao, > > On Sat, Nov 21, 2020 at 12:33:38PM -0300, Joao Morais wrote: >> >> It’s indeed rather confusing, sorry about the mess. >> >> Here is a new proposal of the last paragraph, how it sounds? - suggestions >> welcome, note that I’m not very familiar with english >> >> >> >> The first declared certificate of a bind line is used as the default >> certificate, either from crt or crt-list option, which haproxy should use in >> the TLS handshake if no other certificate matches. This certificate will >> also >> be used if the provided SNI matches its CN or SAN, even if a matching SNI >> filter is found on any crt-list. The SNI filter !* can be used after the >> first >> declared certificate to not include its CN and SAN in the SNI tree, so it >> will >> never match except if no other certificate matches. This way the first >> declared certificate act as a fallback. > > It looks good in my opinion, can you make a new patch for it? Sure! Attached a new patch on top of current master. 0001-DOC-better-describes-how-to-configure-a-fallback-crt.patch Description: Binary data
Re: [PATCH] DOC: clarify how to create a fallback crt
Hello Joao, On Sat, Nov 21, 2020 at 12:33:38PM -0300, Joao Morais wrote: > > It’s indeed rather confusing, sorry about the mess. > > Here is a new proposal of the last paragraph, how it sounds? - suggestions > welcome, note that I’m not very familiar with english > > > > The first declared certificate of a bind line is used as the default > certificate, either from crt or crt-list option, which haproxy should use in > the TLS handshake if no other certificate matches. This certificate will > also > be used if the provided SNI matches its CN or SAN, even if a matching SNI > filter is found on any crt-list. The SNI filter !* can be used after the > first > declared certificate to not include its CN and SAN in the SNI tree, so it > will > never match except if no other certificate matches. This way the first > declared certificate act as a fallback. It looks good in my opinion, can you make a new patch for it? Thanks -- William Lallemand
Re: [PATCH] DOC: clarify how to create a fallback crt
> Em 21 de nov de 2020, à(s) 12:00, William Lallemand > escreveu: > > On Sat, Nov 21, 2020 at 07:48:48AM -0300, Joao Morais wrote: >> >> The attached patch adds some clarification on how one can declare a >> proper fallback certificate using crt-list. Feel free to ask me to >> tune verbosity to a higher or lower level. >> > > That's actually a bit confusing, because the first line of a crt-list is > not the default certificate. The default certificate is the first > certificate declared on a bind line. > > For example: > > bind :443 ssl crt default.pem crt-list list1.crtlist > bind :443 ssl crt-list list1.crtlist crt-list list2.crtlist > > In the first case, the fallback certificate will be "default.pem", and > in the second case, it will be the fist line of "list1.crtlist”. It’s indeed rather confusing, sorry about the mess. Here is a new proposal of the last paragraph, how it sounds? - suggestions welcome, note that I’m not very familiar with english The first declared certificate of a bind line is used as the default certificate, either from crt or crt-list option, which haproxy should use in the TLS handshake if no other certificate matches. This certificate will also be used if the provided SNI matches its CN or SAN, even if a matching SNI filter is found on any crt-list. The SNI filter !* can be used after the first declared certificate to not include its CN and SAN in the SNI tree, so it will never match except if no other certificate matches. This way the first declared certificate act as a fallback.
Re: [PATCH] DOC: clarify how to create a fallback crt
On Sat, Nov 21, 2020 at 07:48:48AM -0300, Joao Morais wrote: > > The attached patch adds some clarification on how one can declare a > proper fallback certificate using crt-list. Feel free to ask me to > tune verbosity to a higher or lower level. > That's actually a bit confusing, because the first line of a crt-list is not the default certificate. The default certificate is the first certificate declared on a bind line. For example: bind :443 ssl crt default.pem crt-list list1.crtlist bind :443 ssl crt-list list1.crtlist crt-list list2.crtlist In the first case, the fallback certificate will be "default.pem", and in the second case, it will be the fist line of "list1.crtlist". -- William Lallemand
Re: [PATCH] DOC: clarify how to create a fallback crt
On Sat, Nov 21, 2020 at 07:48:48AM -0300, Joao Morais wrote: -- William Lallemand 0001-DOC-clarify-how-to-create-a-fallback-crt.patch Description: Binary data
Re: [PATCH] DOC: clarify how to create a fallback crt
On Sat, Nov 21, 2020 at 07:48:48AM -0300, Joao Morais wrote: > > The attached patch adds some clarification on how one can declare a proper > fallback certificate using crt-list. Feel free to ask me to tune verbosity to > a higher or lower level. Applied, thank you Joao! Willy
[PATCH] DOC: clarify how to create a fallback crt
The attached patch adds some clarification on how one can declare a proper fallback certificate using crt-list. Feel free to ask me to tune verbosity to a higher or lower level. 0001-DOC-clarify-how-to-create-a-fallback-crt.patch Description: Binary data