> frontend https-in
> bind 0.0.0.0:443
> mode tcp
> tcp-request inspect-delay 5s
> tcp-request content accept if { req_ssl_hello_type 1 }
>
> acl sni_jve req.ssl_sni -i jve.linuxwall.info
> acl tls12 req.payload(9,2) -m bin 0303
> acl sslv3 req_ssl_ver 3.0
>
> use_backend jve_https if sni_jve tls12
> use_backend jve_https_sha1_ssl3 if sslv3
> # fallback to backward compatible sha1
> default_backend jve_https_sha1
Are you sure your TLSv1.2 client is actually sending
jve.linuxwall.info as SNI value? I suggest to remove the
SNI if statement while testing the TLS ACL.
The ACL works fine for me:
frontend https-in
bind 10.0.0.55:443
mode tcp
tcp-request inspect-delay 5s
tcp-request content accept if { req_ssl_hello_type 1 }
acl tls12 req.payload(9,2) -m bin 0303
use_backend google if tls12
default_backend microsoft
backend google
server google google.com:443
backend microsoft
server hotmail microsoft.com:443
"curl -k -v https://10.0.0.55 --tlsv1.2" --> connects to Google
"curl -k -v https://10.0.0.55 --tlsv1.1" --> connects to MS
