2

I'd like to redirect any users on our site if they try to use SSLv3 (if I just disable SSLv3 and a browser like IE6 comes along, I couldn't seem to properly redirect it to an http version of our site with an error message - so I'd like to allow SSLv3, but redirect if they are using it to an error message).

I think I want something like the following:

RewriteCond %{SSL_PROTOCOL} SSLv3
RewriteRule (.*) http://%{SERVER_NAME}/mysite/unsupported_browser.html

Unfortunately, %{SSL_PROTOCOL} always seems to be empty. I'm using Apache 2.2.15 in Centos 6 32 bit. SSL works just fine for the website normally (i.e. https://mysite/mysite/unsupported_browser.html works fine).

there seems to be a bunch of variables that are supposed to be availalbe, but are empty for me (http://httpd.apache.org/docs/2.2/mod/mod_ssl.html).

Anyone have any ideas what I can do?

Jarrett
  • 251
  • 1
  • 2
  • 7
  • 2
    The TLS handshake occurs before HTTP traffic is sent throught the TLS tunnel. By the time you redirect the traffic it's already too late if some bad guy is doing mitm attack. – Xavier Lucas Oct 16 '14 at 22:42
  • You must have missed the part on the page you linked that says `This information is not provided by default for performance reasons. (See SSLOptions StdEnvVars, below.) ` –  Oct 16 '14 at 22:43
  • @yoonix, I did see that, but adding `SSLOptions +StdEnvVars` didn't nothing... – Jarrett Oct 16 '14 at 22:44
  • 1
    Exactly. You should not be attempting this at all. Any unfortunate soul who is still stuck with IE on XP (and they really are too few to be concerned with on a general audience web site) has long since switched to another browser because of all the _other_ sites that no longer work. – Michael Hampton Oct 16 '14 at 22:44
  • @XavierLucas Hmm...well, this would only trigger if they were using SSLv3, in which case nothing senstitive should have been submitted (they shouldn't be able to get to the actual site if they use SSLv3). If it's TLS I shouldn't have a problem...But I get your gist - bad idea to do this in general. – Jarrett Oct 16 '14 at 22:47
  • A page with information regarding why you can't connect and what you need to do to connect is much more valuable to a user than an vague SSL error message from the browser. – xdfil May 13 '15 at 16:19

2 Answers2

2

The solutions for this is:

RewriteCond %{SSL:SSL_PROTOCOL} ^SSLv3$
RewriteRule (.*) http://%{SERVER_NAME}/unsupported_browser.html [L,R=302]

This works for me :)

Plamen Vasilev
  • 121
  • 1
0

According to IBM[1], you should be able to interrogate ENV:SSL_PROTOCOL_VERSION environment variable, which should be exported by mod_ssl.

That said, it might be better[2] to only support TLSv1 and later, and have a custom error-page to inform that they need to switch to a browser that support TLS1 or later.

[1]: "http://publib.boulder.ibm.com/httpserv/ihsdiag/ssl_questions.html#REWRITESSL"

[2]: Better, as in not having to make rewrite decisions that are computationally costly, when the fall-through to a static error page is less expensive to your server

DTK
  • 1,688
  • 10
  • 15
  • Hi @DTK, thanks for the reply. How would I go about displaying an error page if they don't support TLSv1 or later? – Jarrett Oct 17 '14 at 04:29
  • I was mistaken. Testing, it looks like it would just be a handshake failure. Your original solution would be the way to achieve this (but interrogate the variable ENV:SSL_PROTOCOL_VERSION instead). – DTK Oct 18 '14 at 04:22