From: Remi Gacogne <remi.gacogne@powerdns.com>
Date: Mon, 14 Apr 2025 12:09:20 +0000 (+0200)
Subject: dnsdist: Document certificate switching support in the OpenSSL provider
X-Git-Tag: dnsdist-2.0.0-alpha2~40^2~2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=70448b359e5580569b5222b3b9240a8900210019;p=thirdparty%2Fpdns.git

dnsdist: Document certificate switching support in the OpenSSL provider
---

diff --git a/pdns/dnsdistdist/docs/advanced/tls-certificates-management.rst b/pdns/dnsdistdist/docs/advanced/tls-certificates-management.rst
index af7d91d37f..2a5ebb4265 100644
--- a/pdns/dnsdistdist/docs/advanced/tls-certificates-management.rst
+++ b/pdns/dnsdistdist/docs/advanced/tls-certificates-management.rst
@@ -14,6 +14,14 @@ For example, to load two certificates, one ``RSA`` and one ``ECDSA`` one:
 
   addTLSLocal("192.0.2.1:853", { "/path/to/rsa/pem", "/path/to/ecdsa/pem" }, { "/path/to/rsa/key", "/path/to/ecdsa/key" })
 
+Before 2.0.0 the ``OpenSSL`` provider did not support selecting the certificate to provide to the client based on the value sent in ``Server Name Indication`` extension of the ``Client Hello`` message, so providing more than one certificate only made sense to support different algorithms, like ``RSA`` and ``ECDSA``. The ``GnuTLS`` provider had no such limitation.
+Since 2.0.0, the ``OpenSSL`` provider is capable of selecting the certificate based on the ``SNI`` value, so loading several certificates for different hostnames is now possible.
+
+.. code-block:: lua
+
+  addTLSLocal("192.0.2.1:853", { "/path/to/cert-hostname1", "/path/to/cert-hostname2" }, { "/path/to/key-hostname1", "/path/to/key-hostname2" })
+
+
 Password-protected PKCS12 files
 -------------------------------