From ae27fe4ce839df8d4dc1df093a780c8f4b3740f3 Mon Sep 17 00:00:00 2001
From: Bapuji Koraganti <34816445+bkoragan@users.noreply.github.com>
Date: Mon, 6 Apr 2026 19:28:44 -0400
Subject: [PATCH] internal: fix certificate fallback without SNI (#21417)

21412: fix falls back to RSA instead of configured other TLS Certificates for a brand/domain

Honor the other certificates other than RSA
---
 internal/web/web_tls.go | 6 +-----
 1 file changed, 1 insertion(+), 5 deletions(-)

diff --git a/internal/web/web_tls.go b/internal/web/web_tls.go
index 9aca90a5c8..c907c65711 100644
--- a/internal/web/web_tls.go
+++ b/internal/web/web_tls.go
@@ -18,11 +18,7 @@ func (ws *WebServer) GetCertificate() func(ch *tls.ClientHelloInfo) (*tls.Config
 	}
 	return func(ch *tls.ClientHelloInfo) (*tls.Config, error) {
 		cfg := utils.GetTLSConfig()
-		if ch.ServerName == "" {
-			cfg.Certificates = []tls.Certificate{fallback}
-			return cfg, nil
-		}
-		if ws.ProxyServer != nil {
+		if ch.ServerName != "" && ws.ProxyServer != nil {
 			appCert := ws.ProxyServer.GetCertificate(ch.ServerName)
 			if appCert != nil {
 				cfg.Certificates = []tls.Certificate{*appCert}