Protecting against DDoS SSL handshake failure attacks

Can anybody confirm whether stick-tables are run before or after the SSL handshake is checked? We are getting attacks by bots intentionally not using the correct client certificate that we set, and we want to make sure the stick table rules are applied even if the client fails SSL handshaking. (We’re currently using mode tcp with tcp-request to block.)

A stick table is just a key value store.

How it is used is up to you (and the configuration).