MEDIUM: ssl: improve crt-list format to support negation
Improve the crt-list file format to allow a rule to negate a certain SNI :
<crtfile> [[!]<snifilter> ...]
This can be useful when a domain supports a wildcard but you don't want to
deliver the wildcard cert for certain specific domains.
diff --git a/doc/configuration.txt b/doc/configuration.txt
index 67c18ec..eb26285 100644
--- a/doc/configuration.txt
+++ b/doc/configuration.txt
@@ -7224,17 +7224,19 @@
crt-list <file>
This setting is only available when support for OpenSSL was built in. It
- designates a list of PEM file with an optional SNI filter per certificate,
- with the following format for each line :
+ designates a list of PEM file with an optional list of SNI filter per
+ certificate, with the following format for each line :
- <crtfile> [<snifilter>]
+ <crtfile> [[!]<snifilter> ...]
- Wildcards are supported in the SNI filter. The certificates will be presented
- to clients who provide a valid TLS Server Name Indication field matching one
- of SNI filter. If no SNI filter is specified the CN and alt subjects are
- used. This directive may be specified multiple times. See the "crt" option
- for more information. The default certificate is still needed to meet OpenSSL
- expectations. If it is not used, the strict-sni option may be used.
+ Wildcards are supported in the SNI filter. Negative filter are also supported,
+ only useful in combination with a wildcard filter to exclude a particular SNI.
+ The certificates will be presented to clients who provide a valid TLS Server
+ Name Indication field matching one of the SNI filters. If no SNI filter is
+ specified, the CN and alt subjects are used. This directive may be specified
+ multiple times. See the "crt" option for more information. The default
+ certificate is still needed to meet OpenSSL expectations. If it is not used,
+ the 'strict-sni' option may be used.
defer-accept
Is an optional keyword which is supported only on certain Linux kernels. It