Hi,
> Hi there, > > I'm running haproxy 1.5.12 and I have set 'ssl-default-bind-options > no-sslv3 no-tlsv10' (without the quotes of course) under the global > section as I want all my front-ends not to support SSLv3 or TLS1.0. > > However I do have a client that still requires SSLv3 support (for their > own reasons). I have tried using force-sslv3 on the server line in the > backend that matches their site, however this does not seem to be > working as all. I don't think this is a supported configuration. Afaik force-sslv3 doesn't invert a previous no-sslv3 setting and that is indeed the behavior you are seeing, so I would say this is expected. force-sslv3 sets SSLv3_method, no-sslv3 sets SSL_OP_NO_SSLv3 [1]. Setting both together doesn't make any sense. Thats the how the OpenSSL API is. Regards, Lukas [1] https://www.openssl.org/docs/ssl/SSL_CTX_new.html
