Description: Update FAQ about virtual hosting with HTTPS and SNI
 The text is copied from the README.
Author: Carsten Leonhardt <leo@debian.org>
Bug-Debian: https://bugs.debian.org/697064
Last-Update: 2019-07-10

--- pound-2.8.orig/FAQ
+++ pound-2.8/FAQ
@@ -177,23 +177,18 @@ FREQUENTLY ASKED QUESTIONS
 
 4.2 How can I do virtual hosting with HTTPS?
 
-    The simple answer is that neither you, nor anybody else can, due to a
-    limitation of the HTTPS protocol. In its simplest form an HTTPS (SSL)
-    connection goes through the following stages:
-
-    - negotiation: the client contacts the server, receives a certificate
-      from it, and negotiates the protocol details (cipher parameters, etc).
-
-    - authentication: the client checks that the certificate received matches
-      the server it wanted and validates that the certificate is correct as
-      attested by some certificate authority.
-
-    - request/response: normal HTTP, encrypted in transit.
-
-    As you can see the certificate is sent before any request was received.
-    Unfortunately, the first request specifies the virtual host that the
-    client would like to talk to - and it may not match the server name in
-    the certificate.
+    Starting with the 2.6 series, Pound has SNI support, if your OpenSSL version
+    supports it. Basically you supply Pound with several certificates, one for
+    each virtual host (wild card certificates - as described above - are
+    allowed). On connecting the client signals to which server it wants to talk,
+    and Pound searches among its certificates which would fit. Not all versions
+    of OpenSSL and not all clients support this mode, but if available it allows
+    for virtual hosts over HTTPS.
+
+    An additional option is to use a semi-official TLS extension, the so called
+    alternate subject name. If your version of OpenSSL supports it you may specify
+    in one certificate several alternate server names. This requires support for a
+    special TLS feature, and nor all clients accept it.
 
 4.3 Pound does not start with message "can't read private key"
 
