From 46e49260b35a2a39bbb92f44ceb598ab2db94d6a Mon Sep 17 00:00:00 2001
From: Laurent Bercot <ska-skaware@skarnet.org>
Date: Thu, 18 Nov 2021 17:46:43 +0000
Subject:  Allow SNI wildcarding for *.example.com

Signed-off-by: Laurent Bercot <ska@appnovation.com>
---
 doc/s6-tlsd-io.html | 11 +++++++++++
 1 file changed, 11 insertions(+)

(limited to 'doc/s6-tlsd-io.html')

diff --git a/doc/s6-tlsd-io.html b/doc/s6-tlsd-io.html
index b2a4a1e..f21d487 100644
--- a/doc/s6-tlsd-io.html
+++ b/doc/s6-tlsd-io.html
@@ -128,6 +128,17 @@ environment variable. If <em>snilevel</em> is 2 or more, the
 entirely ignored.
 </p>
 
+<p>
+ You can wildcard the first level of a SNI domain: you can point
+to a valid certificate for <tt><em>foo</em>.example.com</tt> for all
+values of <em>foo</em> via a variable called <tt>CERTFILE:*.example.com</tt>
+(and have the corresponding <tt>KEYFILE:*.example.com</tt>). Only the
+first level can be wildcarded, and this does not work for top-level
+domains (you cannot hold a certificate for <tt>*.com</tt>). Note: if you are
+using a shell to handle your environment variables, be careful to
+properly quote them so that it does not attempt to expand the asterisks.
+</p>
+
 <p>
  If you are using client certificates, <tt>s6-tlsd-io</tt>
 also requires either one of the following variables to be set:
-- 
cgit v1.2.3