> frontend https-in > bind 0.0.0.0:443 > mode tcp > tcp-request inspect-delay 5s > tcp-request content accept if { req_ssl_hello_type 1 } > > acl sni_jve req.ssl_sni -i jve.linuxwall.info > acl tls12 req.payload(9,2) -m bin 0303 > acl sslv3 req_ssl_ver 3.0 > > use_backend jve_https if sni_jve tls12 > use_backend jve_https_sha1_ssl3 if sslv3 > # fallback to backward compatible sha1 > default_backend jve_https_sha1
Are you sure your TLSv1.2 client is actually sending jve.linuxwall.info as SNI value? I suggest to remove the SNI if statement while testing the TLS ACL. The ACL works fine for me: frontend https-in bind 10.0.0.55:443 mode tcp tcp-request inspect-delay 5s tcp-request content accept if { req_ssl_hello_type 1 } acl tls12 req.payload(9,2) -m bin 0303 use_backend google if tls12 default_backend microsoft backend google server google google.com:443 backend microsoft server hotmail microsoft.com:443 "curl -k -v https://10.0.0.55 --tlsv1.2" --> connects to Google "curl -k -v https://10.0.0.55 --tlsv1.1" --> connects to MS