git.ipfire.org Git - thirdparty/haproxy.git/commit

author	William Lallemand <wlallemand@haproxy.com>
	Wed, 10 Jan 2024 15:07:17 +0000 (16:07 +0100)
committer	William Lallemand <wlallemand@haproxy.com>
	Fri, 12 Jan 2024 16:40:42 +0000 (17:40 +0100)
commit	0bf9d122a901aced2d550ba4ee5d6242c85ff75d
tree	a3a98b509311cd330198cd9c31686323c78a6645	tree \| snapshot
parent	30592168e5fc9111976510bc6bc0ec87065d70c2	commit \| diff

MEDIUM: ssl: generate '*' SNI filters for default certificates

This patch follows the previous one about default certificate selection
("MEDIUM: ssl: allow multiple fallback certificate to allow ECDSA/RSA
selection").

This patch generates '*" SNI filters for the first certificate of a
bind line, it will be used to match default certificates. Instead of
setting the default_ctx pointer in the bind line.

Since the filters are in the SNI tree, it allows to have multiple
default certificate and restore the ecdsa/rsa selection with a
multi-cert bundle.

This configuration:
# foobar.pem.ecdsa and foobar.pem.rsa
bind *:8443 ssl crt foobar.pem crt next.pem

will use "foobar.pem.ecdsa" and "foobar.pem.rsa" as default
certificates.

Note: there is still cleanup needed around default_ctx.

This was discussed in github issue #2392.

include/haproxy/ssl_ckch.h		diff \| blob \| blame \| history
src/ssl_ckch.c		diff \| blob \| blame \| history
src/ssl_crtlist.c		diff \| blob \| blame \| history
src/ssl_sock.c		diff \| blob \| blame \| history