New Transparent capture is in preview. Record every app's traffic with no proxy configuration, on Windows, macOS and Linux. Learn more

forceTlsVersionAction Action

Force the TLS protocol Fluxzy negotiates with the upstream, useful for testing legacy servers or strict modern endpoints.

Protocol negotiation usually happens silently and almost always lands on the latest version both sides support. forceTlsVersionAction gives you a deterministic way to override that decision so you can verify legacy support, reproduce a TLS specific bug, or confirm a server has retired an obsolete protocol.

When to use this action

Use forceTlsVersionAction when you want to control exactly which TLS protocol Fluxzy negotiates with the upstream server. The action makes it easy to reproduce protocol specific behaviour without changing OS level settings or client code.

Typical situations include:

  • Verifying that a server has actually disabled TLS 1.0 or TLS 1.1 by attempting to force them.
  • Forcing TLS 1.2 on a client that has moved to TLS 1.3 to reproduce an old bug.
  • Pinning TLS 1.3 to test that a modern endpoint negotiates the protocol correctly.
  • Building a compatibility matrix during a migration project.

The action runs on the requestHeaderReceivedFromClient scope. Valid values for sslProtocols include Tls, Tls11, Tls12, Tls13, plus legacy entries Ssl3 and Ssl2.

Real world examples

Force TLS 1.2 on a specific host

Helps you reproduce bugs on a client that has migrated to TLS 1.3 by default.

rules:
- filter:
    typeKind: HostFilter
    pattern: api.internal.example.com
  actions:
  - typeKind: ForceTlsVersionAction
    sslProtocols: Tls12

Probe a server to confirm TLS 1.0 is disabled

A failed handshake confirms that the server has correctly removed support.

rules:
- filter:
    typeKind: HostFilter
    pattern: legacy.example.com
  actions:
  - typeKind: ForceTlsVersionAction
    sslProtocols: Tls

Pin TLS 1.3 to validate a modern endpoint

Combined with HTTP/2, this matches the baseline of a current generation browser.

rules:
- filter:
    typeKind: HostFilter
    pattern: payments.example.com
  actions:
  - typeKind: ForceTlsVersionAction
    sslProtocols: Tls13
  - typeKind: ForceHttp2Action

Reference

forceTlsVersionAction

Description

Force the usage of a specific TLS version. Values can be chosen among : Tls, Tls11, Tls12, Tls13, Ssl3, Ssl2.
Forcing the usage of a specific TLS version can break the exchange if the remote does not support the requested protocol.

Evaluation scope

Evaluation scope defines the timing where this filter will be applied.

requestHeaderReceivedFromClient This scope occurs the moment fluxzy parsed the request header receiveid from client

YAML configuration name

forceTlsVersionAction

Settings

The following table describes the customizable properties available for this action:

Property Type Description DefaultValue
sslProtocols none | ssl2 | ssl3 | tls | default | tls11 | tls12 | tls13 none

Example of usage

The following examples apply this action to any exchanges

Accept only TLS 1.1 connections.

rules:
- filter:
    typeKind: AnyFilter
  actions:
  - typeKind: ForceTlsVersionAction
    sslProtocols: Tls11

.NET reference

View definition of ForceTlsVersionAction for .NET integration.

See also

The following actions are related to this action:

Frequently asked questions

What happens if the server does not support the requested TLS version?

The handshake fails and the exchange surfaces a TLS error. That is often exactly what you want when probing a server for protocol support.

Does this also pin the cipher suites?

No. It only forces the protocol version. Cipher selection still follows the operating system or runtime defaults.

Can I disable certificate validation on the same rule?

Yes. Add skipRemoteCertificateValidationAction in the same rule if you also want to bypass certificate checks while testing.

Should I avoid Ssl2 and Ssl3 in production?

Yes. These protocols are obsolete and considered unsafe. They are available in the action only so you can probe servers that should reject them.

Learn more about Fluxzy rules

Rule file syntax reference Importing YAML rules into Fluxzy Desktop Using rule files with Fluxzy CLI
Browse all directives