git.ipfire.org Git - thirdparty/haproxy.git/commit

author	Willy Tarreau <w@1wt.eu>
	Sat, 17 May 2025 07:23:04 +0000 (09:23 +0200)
committer	Willy Tarreau <w@1wt.eu>
	Thu, 22 May 2025 13:31:54 +0000 (15:31 +0200)
commit	3494775a1f4935a18a78360fcf9d5bee5d443d57
tree	7ae0ac0d2eaa1047fccbe0558cceea458f9eb439	tree \| snapshot
parent	7244f16ac451fd796042b2184b5d90ed50f9d5af	commit \| diff

MINOR: ssl: support strict-sni in ssl-default-bind-options

Several users already reported that it would be nice to support
strict-sni in ssl-default-bind-options. However, in order to support
it, we also need an option to disable it.

This patch moves the setting of the option from the strict_sni field
to a flag in the ssl_options field so that it can be inherited from
the default bind options, and adds a new "no-strict-sni" directive to
allow to disable it on a specific "bind" line.

The test file "del_ssl_crt-list.vtc" which already tests both options
was updated to make use of the default option and the no- variant to
confirm everything continues to work.

doc/configuration.txt		diff \| blob \| blame \| history
include/haproxy/listener-t.h		diff \| blob \| blame \| history
reg-tests/ssl/del_ssl_crt-list.vtc		diff \| blob \| blame \| history
src/cfgparse-ssl.c		diff \| blob \| blame \| history
src/ssl_clienthello.c		diff \| blob \| blame \| history
src/ssl_crtlist.c		diff \| blob \| blame \| history
src/ssl_sock.c		diff \| blob \| blame \| history