DOC: ssl: crt-list negative filters are only a hint
This issue was reported in #818 but can't be fixed in this version
because there is too much dependencies to do it.
This patch explains the real behavior of the crt-list negative filters
and how to use them correctly.
This is specific to versions prior to 2.1 and must be backported in
all older branches.
diff --git a/doc/configuration.txt b/doc/configuration.txt
index 3172921..c924d9d 100644
--- a/doc/configuration.txt
+++ b/doc/configuration.txt
@@ -11609,8 +11609,11 @@
"ssl-min-ver" and "ssl-max-ver" are also supported. It overrides the
configuration set in bind line for the certificate.
- Wildcards are supported in the SNI filter. Negative filter are also supported,
- only useful in combination with a wildcard filter to exclude a particular SNI.
+ Wildcards are supported in the SNI filter. Negative filters can be specified
+ in the configuration, but they are only used as a hint, they don't do
+ anything. (this changes in newer haproxy versions) If you want to exclude a
+ SNI from a wildcard, use this positive SNI on another line. (like in the
+ example).
The certificates will be presented to clients who provide a valid TLS Server
Name Indication field matching one of the SNI filters. If no SNI filter is
specified, the CN and alt subjects are used. This directive may be specified