On 2015-10-08 18:24, Lukas Tribus wrote:
Are you sure your TLSv1.2 client is actually sending jve.linuxwall.info as SNI value? I suggest to remove the SNI if statement while testing the TLS ACL.
Argh... I can't count the number of times forgetting -servername in openssl s_client got me looking for a bug. This one included. "acl tls12 req.payload(9,2) -m bin 0303" works as expected. My patch still doesn't, but at least I have an environment that makes sense :) Thanks! Julien