mirror of
https://git.haproxy.org/git/haproxy.git/
synced 2025-11-18 01:11:01 +01:00
e51fab0a4a
HAProxy uses CN and SAN of the certificates to match incoming SNI, and use the matching certificate in the TLS handshake. `crt-list` goes further and allows to configure SNI filters to explicitly define the FQDNs that should match a certificate. The first declared certificate of the `crt-list` option follows the same rules, and it's also used as a fallback - the certificate that should be used if SNI isn't provided or the provided one cannot match any certificate or SNI filter. If a provided SNI matches the CN or SAN of the first certificate, the first certificate would be used even if a matching SNI filter is declared later. This change clarifies this scenario and documents a filter that can be used to convert the first declared certificate as a proper fallback. Should be merged as far as the first SNI filter implementation.