Gitiles
Code Review Sign In
git01.mediatek.com / haproxy / 84e417d8593438b56654125d6e86d948038cfa45^! / . / doc / configuration.txt
commit84e417d8593438b56654125d6e86d948038cfa45[log] [tgz]
authorEmmanuel Hocdet <manu@gandi.net>Wed Aug 16 11:33:17 2017 +0200
committerWilly Tarreau <w@1wt.eu>Fri Oct 27 10:54:05 2017 +0200
tree56ceef3ca044f13975957473c57e0892e042363b
parent48e875563908c0ed0363aef27e2ca20ee00f13bf [diff] [blame]
MINOR: ssl: support Openssl 1.1.1 early callback for switchctx

Use Openssl-1.1.1 SSL_CTX_set_client_hello_cb to mimic BoringSSL early callback.
Native multi certificate and SSL/TLS method per certificate is now supported by
Openssl >= 1.1.1.

diff --git a/doc/configuration.txt b/doc/configuration.txt
index 5a8c8b5..bd8cafa 100644
--- a/doc/configuration.txt
+++ b/doc/configuration.txt

@@ -10399,8 +10399,9 @@
   to use both RSA and ECDSA cipher suites. Users connecting with an SNI of
   "rsa.example.com" will only be able to use RSA cipher suites, and users
   connecting with "ecdsa.example.com" will only be able to use ECDSA cipher
-  suites. With BoringSSL multi-cert is natively supported, no need to bundle
-  certificates. ECDSA certificate will be preferred if client support it.
+  suites. With BoringSSL and Openssl >= 1.1.1 multi-cert is natively supported,
+  no need to bundle certificates. ECDSA certificate will be preferred if client
+  support it.
 
   If a directory name is given as the <cert> argument, haproxy will
   automatically search and load bundled files in that directory.
@@ -10424,7 +10425,7 @@
 
   sslbindconf support "npn", "alpn", "verify", "ca-file", "no-ca-names",
   crl-file", "ecdhe", "curves", "ciphers" configuration. With BoringSSL
-  "ssl-min-ver" and "ssl-max-ver" are also supported.
+  and Openssl >= 1.1.1 "ssl-min-ver" and "ssl-max-ver" are also supported.
   It override the configuration set in bind line for the certificate.
 
   Wildcards are supported in the SNI filter. Negative filter are also supported,
@@ -10438,9 +10439,9 @@
 
   Multi-cert bundling (see "crt") is supported with crt-list, as long as only
   the base name is given in the crt-list. SNI filter will do the same work on
-  all bundled certificates. With BoringSSL multi-cert is natively supported,
-  avoid multi-cert bundling. RSA and ECDSA certificates can be declared in a
-  row, and set different ssl and filter parameter.
+  all bundled certificates. With BoringSSL and Openssl >= 1.1.1 multi-cert is
+  natively supported, avoid multi-cert bundling. RSA and ECDSA certificates can
+  be declared in a row, and set different ssl and filter parameter.
 
   crt-list file example:
         cert1.pem