Gitiles
Code Review Sign In
git01.mediatek.com / haproxy / 929da3ebc83b5cda79749a77435101b5e3d1b83d^! / .
commit929da3ebc83b5cda79749a77435101b5e3d1b83d[log] [tgz]
authorWilliam Lallemand <wlallemand@haproxy.org>Tue Apr 04 16:28:58 2023 +0200
committerChristopher Faulet <cfaulet@haproxy.com>Fri Apr 21 17:15:46 2023 +0200
tree34ed11a8077fe29d4f7dbf9dd2083bb2a5a675cd
parentfdbefea0708e7c6c03fb78ee76fb41674d98e04e [diff]
DOC: config: strict-sni allows to start without certificate

The strict-sni keyword allows to start without certificate on a bind
line.

Must be backported as far as 2.2.

(cherry picked from commit 5c099351d172a79f9ab4de043a78139b883bca93)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>
(cherry picked from commit 708b774e3900df807116707e3b96a17108dc435f)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>
(cherry picked from commit 83f49793bb345ea26397f51e32184ee5fb3616fd)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>
(cherry picked from commit 7d3945b05576b8d1f7956bd5a107c100191cce61)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>

diff --git a/doc/configuration.txt b/doc/configuration.txt
index bd3383d..60345a2 100644
--- a/doc/configuration.txt
+++ b/doc/configuration.txt

@@ -13542,7 +13542,8 @@
   who provide a valid TLS Server Name Indication field matching one of their
   CN or alt subjects. Wildcards are supported, where a wildcard character '*'
   is used instead of the first hostname component (e.g. *.example.org matches
-  www.example.org but not www.sub.example.org).
+  www.example.org but not www.sub.example.org). If an empty directory is used,
+  HAProxy will not start unless the "strict-sni" keyword is used.
 
   If no SNI is provided by the client or if the SSL library does not support
   TLS extensions, or if the client provides an SNI hostname which does not
@@ -13963,8 +13964,11 @@
 strict-sni
   This setting is only available when support for OpenSSL was built in. The
   SSL/TLS negotiation is allow only if the client provided an SNI which match
-  a certificate. The default certificate is not used.
-  See the "crt" option for more information.
+  a certificate. The default certificate is not used. This option also allows
+  to start without any certificate on a bind line, so an empty directory could
+  be used and filled later from the stats socket.
+  See the "crt" option for more information. See "add ssl crt-list" command in
+  the management guide.
 
 tcp-ut <delay>
   Sets the TCP User Timeout for all incoming connections instantiated from this