On Fri, Oct 09, 2015 at 12:24:11AM +0200, Lukas Tribus wrote:
> > frontend https-in
> > bind 0.0.0.0:443
> > mode tcp
> > tcp-request inspect-delay 5s
> > tcp-request content accept if { req_ssl_hello_type 1 }
> >
> > acl sni_jve req.ssl_sni -i jve.linuxwall.info
> > acl tls12 req.payload(9,2) -m bin 0303
> > acl sslv3 req_ssl_ver 3.0
> >
> > use_backend jve_https if sni_jve tls12
> > use_backend jve_https_sha1_ssl3 if sslv3
> > # fallback to backward compatible sha1
> > default_backend jve_https_sha1
>
> Are you sure your TLSv1.2 client is actually sending
> jve.linuxwall.info as SNI value? I suggest to remove the
> SNI if statement while testing the TLS ACL.
Another point to keep in mind is that when browsers experience
connection issues when sending certain extensions, they don't
send them afterwards for the same host. It might be worth checking
using ssldump or simply closing+restarting the browser to ensure
that it is not a side effect of a previously failed attempt. I've
been hit a number of times with this :-/
Willy
