nghttpx supports multiple certificates using --subcert option.
Previously, SNI hostname is used to select certificate. With this
commit, signature algorithm presented by client is also taken into
consideration. nghttpx now accepts certificates which share the same
hostname (CN, SAN), but have different signature algorithm (e.g.,
ECDSA+SHA256, RSA+SHA256).
Currently, this feature requires OpenSSL >= 1.0.2. BoringSSL, and
LibreSSL do not work since they lack required APIs.
Suppose the wildcard patterns follows:
- *.nghttp2.org/foo
- *.img.nghttp2.org/bar
Previously, s.img.nghttp2.org/foo does not match anything. Now it
matches first pattern.
Tatsuhiro Tsujikawa