DOC: better describes how to configure a fallback crt
A default certificate is always the first one declared in the bind line,
either from `crt` or from `crt-line` option. This commit updates the
description of how to configure a fallback certificate, clarifying that
it needs to be the first one of the bind line.
Should be merged as far as the first SNI filter implementation.
(cherry picked from commit aa8fcc4692b8c2afda455199a694067fea9e9262)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>
diff --git a/doc/configuration.txt b/doc/configuration.txt
index 609257a..70e0151 100644
--- a/doc/configuration.txt
+++ b/doc/configuration.txt
@@ -12611,13 +12611,14 @@
Empty lines as well as lines beginning with a hash ('#') will be ignored.
- The first valid line declares the default certificate, which haproxy should
- use in the TLS handshake if no other certificate matches, just like the crt
- bind option. This certificate will also be used if the provided SNI matches
- its CN or SAN, even if a matching SNI filter is declared later. The SNI filter
- !* can be used after the first certificate to not include its CN and SAN in
- the SNI tree, so it will never match except if no other certificate matches.
- This way the first declared certificate act as a fallback.
+ The first declared certificate of a bind line is used as the default
+ certificate, either from crt or crt-list option, which haproxy should use in
+ the TLS handshake if no other certificate matches. This certificate will also
+ be used if the provided SNI matches its CN or SAN, even if a matching SNI
+ filter is found on any crt-list. The SNI filter !* can be used after the first
+ declared certificate to not include its CN and SAN in the SNI tree, so it will
+ never match except if no other certificate matches. This way the first
+ declared certificate act as a fallback.
crt-list file example:
cert1.pem !*