After Poodle vulnerability was revealed recently, our team decided to move on from SSLv3. But before complete removal, they want to warn the daily users that their browser use deprecated SSLv3. So, we came up the idea to
- Detect the protocol (SSLv3, TLS1 etc...) from front end SSL-offloading (we use nginx)
- Pass that info (SSL protocol) via HTTP header to Apache-backend.
Then our backend code will process that header and give warning if the client use SSLv3.
I aware that nginx has feature proxy_set_header
. So this one would be simple as
proxy_set_header X-HTTPS-Protocol $something;
Now, the problem is : obviously nginx know the protocol used by client, but how can I pass that info to backend via HTTP header?
Thanks
As pointed by similar thread Apache redirect user if they are using SSLv3, this idea may became very-very bad idea.
The reason is TLS handshake occurs before HTTP traffic is sent through the TLS tunnel. By the time our backend detects the SSL protocol, the client may have sent private data in his first request. For permanent and long term solution we should consider to disable SSLv3.