On Tue, Nov 24, 2020 at 08:59:05AM -0300, Joao Morais wrote: > > > > Em 24 de nov de 2020, à(s) 05:47, William Lallemand > > <[email protected]> escreveu: > > > > Hello Joao, > > > > On Sat, Nov 21, 2020 at 12:33:38PM -0300, Joao Morais wrote: > >> > >> It’s indeed rather confusing, sorry about the mess. > >> > >> Here is a new proposal of the last paragraph, how it sounds? - suggestions > >> welcome, note that I’m not very familiar with english > >> > >> ==== > >> > >> The first declared certificate of a bind line is used as the default > >> certificate, either from crt or crt-list option, which haproxy should use > >> in > >> the TLS handshake if no other certificate matches. This certificate will > >> also > >> be used if the provided SNI matches its CN or SAN, even if a matching SNI > >> filter is found on any crt-list. The SNI filter !* can be used after the > >> first > >> declared certificate to not include its CN and SAN in the SNI tree, so it > >> will > >> never match except if no other certificate matches. This way the first > >> declared certificate act as a fallback. > > > > It looks good in my opinion, can you make a new patch for it? > > Sure! Attached a new patch on top of current master. >
Merged, thanks! -- William Lallemand
