14

After Poodle vulnerability was revealed recently, our team decided to move on from SSLv3. But before complete removal, they want to warn the daily users that their browser use deprecated SSLv3. So, we came up the idea to

  • Detect the protocol (SSLv3, TLS1 etc...) from front end SSL-offloading (we use nginx)
  • Pass that info (SSL protocol) via HTTP header to Apache-backend.

Then our backend code will process that header and give warning if the client use SSLv3.

I aware that nginx has feature proxy_set_header. So this one would be simple as

proxy_set_header X-HTTPS-Protocol $something;

Now, the problem is : obviously nginx know the protocol used by client, but how can I pass that info to backend via HTTP header?

Thanks


As pointed by similar thread Apache redirect user if they are using SSLv3, this idea may became very-very bad idea.

The reason is TLS handshake occurs before HTTP traffic is sent through the TLS tunnel. By the time our backend detects the SSL protocol, the client may have sent private data in his first request. For permanent and long term solution we should consider to disable SSLv3.

tpml7
  • 479
  • 1
  • 5
  • 21

1 Answers1

15

Nginx use many variables which can be used in config. This page provided the complete list of the variables. The variable that holds the protocol in a HTTPS request is ssl_protocol. Citation:

$ssl_protocol

returns the protocol of an established SSL connection;

So your proxy_set_header configuration would be

proxy_set_header X-HTTPS-Protocol $ssl_protocol;

Another reference: here

masegaloeh
  • 17,978
  • 9
  • 56
  • 104