Hi
We use a single backend large scale HAPROXY based proxy server. SSL offload happens at this layer. is it possible to disable TLS1.3 for a specific domain/hostname? We have thousand of apps and each app has its own hostname. We use SNI and http mode .
Don’t want to introduce too much complexity to solve this problem for one or two apps who are not compatible with tls 1.3, like new front-ends or additional backends or disable tls1.3 globally at front-end level.
highly appreciated if anyone has good approach.
Srinivas Kotaru
Yes, you can use crt-list feature to specify TLS settings per SNI/cert.
Thanks @lukastribus. It is very helpful tip which am not aware so far 
But not sure that works in my case. We already using a folder to hold all certs for our apps
frontend SSL
mode http
bind *:80
bind *:443 ssl no-tlsv10 crt /usr/local/etc/haproxy/ssl/certs alpn h2,http/1.1
monitor-uri /proxy.html
Our automation provision new cert and copies to this folder whenever a new application onboard to us. I don’t want to change this behaviour .
Can we add crt-list in addition to existing ‘crt’ and add only add path to to application who don’t want tls1.3?
really appreciate your help on this
Srinivas Kotaru
I suggest you try combining the two.
If you want a tested, working solution in a short time, I suggest you acquire commercial support.