Thanks Lukas, So its either SSLv3 is enable for all, or its disable for all?
Is there a way to have SSLv3 enabled for one backend only? - Travis On 4/07/2015 1:01 am, Lukas Tribus wrote: > Hi, > > >> Hi there, >> >> I'm running haproxy 1.5.12 and I have set 'ssl-default-bind-options >> no-sslv3 no-tlsv10' (without the quotes of course) under the global >> section as I want all my front-ends not to support SSLv3 or TLS1.0. >> >> However I do have a client that still requires SSLv3 support (for their >> own reasons). I have tried using force-sslv3 on the server line in the >> backend that matches their site, however this does not seem to be >> working as all. > I don't think this is a supported configuration. Afaik force-sslv3 doesn't > invert a previous no-sslv3 setting and that is indeed the behavior you > are seeing, so I would say this is expected. > > force-sslv3 sets SSLv3_method, no-sslv3 sets SSL_OP_NO_SSLv3 [1]. > Setting both together doesn't make any sense. Thats the how the > OpenSSL API is. > > > > Regards, > > Lukas > > > [1] https://www.openssl.org/docs/ssl/SSL_CTX_new.html >
