Hi,
Le 04/10/2015 17:16, Julien Vehent a écrit :
Hi everyone,
I'm working on a configuration that routes to a different backend based
on the TLS version, using:
acl modern_tls req_ssl_ver 3.3
However, it appears that the acl never returns true. I'm testing with:
$ openssl s_client -connect <target>:443 -servername <target> -tls1_2
I tried various syntax too, such as "req_ssl_ver 3.3:3.99", but none work.
Am I misusing this ACL? My configuration is below. Build version at the
bottom of this email.
frontend https-in
bind 0.0.0.0:443
mode tcp
tcp-request inspect-delay 5s
tcp-request content accept if { req_ssl_hello_type 1 }
acl sni_jve req.ssl_sni -i jve.linuxwall.info
acl sni_mig req.ssl_sni -i mig.ninja
acl modern_tls req_ssl_ver 3.3
use_backend mig_https if sni_mig modern_tls
use_backend jve_https if sni_jve modern_tls
# fallback to backward compatible backend
default_backend jve_https_old
I think this is because openssl s_client sends v3.1 (TLSv1.0) for the
initial Client Hello :
https://www.openssl.org/news/changelog.html#x17
You can verify with a network capture.
Maybe you can also try with "curl --tlsv1.2" which should use a 3.3 version.
--
Cyril Bonté
