HAProxy community

Disable TLS 1.3 for specific SNI


We use a single backend large scale HAPROXY based proxy server. SSL offload happens at this layer. is it possible to disable TLS1.3 for a specific domain/hostname? We have thousand of apps and each app has its own hostname. We use SNI and http mode .

Don’t want to introduce too much complexity to solve this problem for one or two apps who are not compatible with tls 1.3, like new front-ends or additional backends or disable tls1.3 globally at front-end level.

highly appreciated if anyone has good approach.

Srinivas Kotaru

Yes, you can use crt-list feature to specify TLS settings per SNI/cert.

Thanks @lukastribus. It is very helpful tip which am not aware so far :slight_smile:
But not sure that works in my case. We already using a folder to hold all certs for our apps

frontend SSL
mode http
bind *:80
bind *:443 ssl no-tlsv10 crt /usr/local/etc/haproxy/ssl/certs alpn h2,http/1.1
monitor-uri /proxy.html

Our automation provision new cert and copies to this folder whenever a new application onboard to us. I don’t want to change this behaviour .

Can we add crt-list in addition to existing ‘crt’ and add only add path to to application who don’t want tls1.3?

really appreciate your help on this

Srinivas Kotaru

@lukastribus: any help??

I suggest you try combining the two.

If you want a tested, working solution in a short time, I suggest you acquire commercial support.