Hi all, I know this has been discussed many times before, but it keeps coming back to bite me in ugly ways. Right now, there’s no way (other than plugin code) to make TLS behave differently based on the SSL context (the line in ssl_multicert.config that matched the SNI or IP). This is a real drag, and a serious shortcoming IMO. The way I see things, ssl_mulitcert.config is to TLS as what remap.config is to HTTP, but we don’t treat it as such for some reason.
So, what I need right now are two things, but I can see this getting expanded in the future: 1) Custom ALPN negotiation for a context (say, don’t allow H2 on a cert) 2) Custom TLS protocol settings for a context (say, turn off TLSv1.0 on a cert) So, something like this (just for show, not a proposal): ssl_cert_name=ogre.crt ssl_key_name=ogre.key ssl_ca_name=ca.crt protocols=tlsv1.1,tlsv1.2 alpn=h2,https The settings in records.config then becomes global defaults for those contexts which lack explicit rules. And discuss. — leif
