Different SSL Protocols for each backend server. Is it possible?


#1

I need to disable TLSv1.0for one of my webservers, but not for the rest of them.
bind :443 ssl crt /etc/haproxy/merged.pem no-tlsv10 <- works
ssl-default-bind-options no-tlsv10 <- works
server apache 10.0.0.1 no-tlsv10 <- doesn’t work
ssl-default-server-options no-tlsv10 <- doesn’t work

Is there any way to disable a given SSL protocol for specific backend servers, other than using different IPs/frontends?


#2

I assume you understand that you are actually disabling TLSv1.0 with this configuration, not SSLv3.

This 2 options disable TLSv1.0 on SSL connections from haproxy to the backend server (if any). It has nothing todo with the SSL session between the browser and haproxy however.

No, it isn’t, you need dedicated bind statements.

If all you have is a single IP address and port and you absolutely need this: use a TCP frontend without SSL termination, SNI route to different backends that recirculate to traffic to dedicated SSL frontends with different configurations:


#3

Yes, I meant TLS1.0 when I said SSLv3.

I see. So the only way is by having separated bind statements. The TCP frontend could make me save one public IP address, though.

Thanks anyway.