> Le 30 nov. 2017 à 12:15, Emmanuel Hocdet <m...@gandi.net> a écrit :
>
> In this case, i don’t understand the interest of ssl_fc_has_early.
>
> looking at the documentation
> ssl_fc_has_early : boolean
> Returns true if early data were sent, and the handshake didn't happen yet.
> As
> it has security implications, it is useful to be able to refuse those, or
> wait until the handshake happened.
>
> ssl_fc_* can be used after the front connection at ssl level: handshake will
> be finished at this time.
> ssl_fc_has_early should be: returns true if early data were sent and accepted
> in ssl level. (425 return is http level)
>
> What the description makes me think, and understand what you said, is that it
> could be a « ssl_hs_has_early ».
> I’m very interesting to have acl on hs negotiation, i don't know how to do
> that now in haproxy.
>
.. in tcp mode. With acl in http mode ssl_hs_has_early could be a good name for
that.