From a267b5df4a20016a7daee5f457b219c1a2c48f39 Mon Sep 17 00:00:00 2001 From: Lukas Tribus Date: Sun, 19 Jul 2020 00:25:06 +0200 Subject: [PATCH] DOC: ssl: req_ssl_sni needs implicit TLS req_ssl_sni is not compatible with protocols negotiating TLS explicitly, like SMTP on port 25 or 587 and IMAP on port 143. Fix an example referring to 587 (SMTPS port with implicit TLS is 465) and amend the req_ssl_sni documentation. This doc fix should be backported to supported versions. --- doc/configuration.txt | 23 +++++++++++++---------- 1 file changed, 13 insertions(+), 10 deletions(-) diff --git a/doc/configuration.txt b/doc/configuration.txt index e2e9d887c..93137ca2c 100644 --- a/doc/configuration.txt +++ b/doc/configuration.txt @@ -12259,15 +12259,16 @@ use-server unless The "use-server" statement works both in HTTP and TCP mode. This makes it suitable for use with content-based inspection. For instance, a server could - be selected in a farm according to the TLS SNI field. And if these servers - have their weight set to zero, they will not be used for other traffic. + be selected in a farm according to the TLS SNI field when using protocols with + implicit TLS (also see "req_ssl_sni"). And if these servers have their weight + set to zero, they will not be used for other traffic. Example : # intercept incoming TLS requests based on the SNI field use-server www if { req_ssl_sni -i www.example.com } server www 192.168.0.1:443 weight 0 use-server mail if { req_ssl_sni -i mail.example.com } - server mail 192.168.0.1:587 weight 0 + server mail 192.168.0.1:465 weight 0 use-server imap if { req_ssl_sni -i imap.example.com } server imap 192.168.0.1:993 weight 0 # all the rest is forwarded to this server @@ -17670,13 +17671,15 @@ req_ssl_sni : string (deprecated) contains data that parse as a complete SSL (v3 or superior) client hello message. Note that this only applies to raw contents found in the request buffer and not to contents deciphered via an SSL data layer, so this will not - work with "bind" lines having the "ssl" option. SNI normally contains the - name of the host the client tries to connect to (for recent browsers). SNI is - useful for allowing or denying access to certain hosts when SSL/TLS is used - by the client. This test was designed to be used with TCP request content - inspection. If content switching is needed, it is recommended to first wait - for a complete client hello (type 1), like in the example below. See also - "ssl_fc_sni". + work with "bind" lines having the "ssl" option. This will only work for actual + implicit TLS based protocols like HTTPS (443), IMAPS (993), SMTPS (465), + however it will not work for explicit TLS based protocols, like SMTP (25/587) + or IMAP (143). SNI normally contains the name of the host the client tries to + connect to (for recent browsers). SNI is useful for allowing or denying access + to certain hosts when SSL/TLS is used by the client. This test was designed to + be used with TCP request content inspection. If content switching is needed, + it is recommended to first wait for a complete client hello (type 1), like in + the example below. See also "ssl_fc_sni". ACL derivatives : req_ssl_sni : exact string match