>> SAN = Subject Alternative Name > > Ah OK. We could double-check but I *believe* Emeric told me about > something like this when he implemented the SNI. But I could be > wrong and could confuse with something else. You could easily > check in the code if you feel at ease with openssl's API (I > personally don't).
It is documented actually for the crt and crt-list keywords that we check both the CN and subject alternative names (SAN): http://cbonte.github.io/haproxy-dconv/configuration-1.5.html#5.1-crt http://cbonte.github.io/haproxy-dconv/configuration-1.5.html#5.1-crt-list Emeric just abbreviated them as "alt subjects", but thats what he means. Regards, Lukas
