From: William Lallemand <wlallemand@haproxy.com>
Date: Wed, 27 Aug 2025 08:56:24 +0000 (+0200)
Subject: DOC: configuration: reword 'generate-certificates'
X-Git-Tag: v3.3-dev8~100
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=c36e4fb17f63bfb798856d63bfd7d3bc2d05f70c;p=thirdparty%2Fhaproxy.git

DOC: configuration: reword 'generate-certificates'

Reword the 'generate-certificates' keyword documentation to clarify
what's happening upon error.

This was discussed in ticket #3082.
---

diff --git a/doc/configuration.txt b/doc/configuration.txt
index 795694227..5298a239a 100644
--- a/doc/configuration.txt
+++ b/doc/configuration.txt
@@ -16693,8 +16693,12 @@ generate-certificates
   name mismatch on the certificate presented to the client. With this option
   enabled, HAProxy will try to forge a certificate using the SNI hostname
   indicated by the client. This is done only if no certificate matches the SNI
-  hostname (see 'crt-list'). If an error occurs, the default certificate is
-  used, else the 'strict-sni' option is set.
+  hostname (see 'crt-list').
+
+  In the event of a certificate generation error, the connection will fall back
+  on the default certificate. When using 'strict-sni', the default certificate
+  will not be used and the connection will result in a handshake failure.
+
   It can also be used when HAProxy is configured as a reverse proxy to ease the
   deployment of an architecture with many backends.