On 01/23/2015 08:27 AM, Lukas Tribus wrote:
SAN = Subject Alternative Name
Ah OK. We could double-check but I *believe* Emeric told me about
something like this when he implemented the SNI. But I could be
wrong and could confuse with something else. You could easily
check in the code if you feel at ease with openssl's API (I
personally don't).
It is documented actually for the crt and crt-list keywords that we
check both the CN and subject alternative names (SAN):
http://cbonte.github.io/haproxy-dconv/configuration-1.5.html#5.1-crt
http://cbonte.github.io/haproxy-dconv/configuration-1.5.html#5.1-crt-list
Emeric just abbreviated them as "alt subjects", but thats what he
means.
Regards,
Lukas
Yes, exactly, haproxy handles the lookup on those SANs.
If you are not satisfied with the default behavior you can also use the
statement "crt-list" and a file to perform a manual configuration
mapping between certs and SNIs.
R,
Emeric
