> Attached is a patch that should work but doesn't. (bare with me, I'm in > unknown codebase territory here). > > I also tried to match directly using req.payload, and I can't get the > ACL to match: > acl tls12 req.payload(9,2) -m bin 0303
"req.payload(9,2) -m bin 0303" is imho correct, this should work. You did configure inspect-delay [1], right? Something like: tcp-request inspect-delay 2s Regards, Lukas [1] http://cbonte.github.io/haproxy-dconv/configuration-1.5.html#4.2-tcp-request%20inspect-delay