On 2015-10-08 11:28, Lukas Tribus wrote:
Attached is a patch that should work but doesn't. (bare with me, I'm
in
unknown codebase territory here).
I also tried to match directly using req.payload, and I can't get the
ACL to match:
acl tls12 req.payload(9,2) -m bin 0303
"req.payload(9,2) -m bin 0303" is imho correct, this should work.
You did configure inspect-delay [1], right? Something like:
tcp-request inspect-delay 2s
I did. Here's the conf sample. The sslv3 acl works, not the tls12 one.
frontend https-in
bind 0.0.0.0:443
mode tcp
tcp-request inspect-delay 5s
tcp-request content accept if { req_ssl_hello_type 1 }
acl sni_jve req.ssl_sni -i jve.linuxwall.info
acl tls12 req.payload(9,2) -m bin 0301
acl sslv3 req_ssl_ver 3.0
use_backend jve_https if sni_jve tls12
use_backend jve_https_sha1_ssl3 if sslv3
# fallback to backward compatible sha1
default_backend jve_https_sha1
Could you (or someone else) test it and verify my results?
- Julien