Passing SSL protocol info to backend via HTTP header

Question

After Poodle vulnerability was revealed recently, our team decided to move on from SSLv3. But before complete removal, they want to warn the daily users that their browser use deprecated SSLv3. So, we came up the idea to

Detect the protocol (SSLv3, TLS1 etc...) from front end SSL-offloading (we use nginx)
Pass that info (SSL protocol) via HTTP header to Apache-backend.

Then our backend code will process that header and give warning if the client use SSLv3.

I aware that nginx has feature proxy_set_header. So this one would be simple as

proxy_set_header X-HTTPS-Protocol $something;

Now, the problem is : obviously nginx know the protocol used by client, but how can I pass that info to backend via HTTP header?

Thanks

As pointed by similar thread Apache redirect user if they are using SSLv3, this idea may became very-very bad idea.

The reason is TLS handshake occurs before HTTP traffic is sent through the TLS tunnel. By the time our backend detects the SSL protocol, the client may have sent private data in his first request. For permanent and long term solution we should consider to disable SSLv3.

score 15 · Accepted Answer · edited Jun 11 '20 at 10:02

15

Nginx use many variables which can be used in config. This page provided the complete list of the variables. The variable that holds the protocol in a HTTPS request is ssl_protocol. Citation:

$ssl_protocol
returns the protocol of an established SSL connection;

So your proxy_set_header configuration would be

proxy_set_header X-HTTPS-Protocol $ssl_protocol;

Another reference: here

edited Jun 11 '20 at 10:02

Community

1

answered Oct 19 '14 at 08:25

masegaloeh

17,978
9
56
104

Missing semicolon at the end of $ssl_protocol (I can't change it since serverf*l requires 6 chars to be changed). – Melroy van den Berg Mar 06 '18 at 17:31
@danger89 done that – sanmai Jun 14 '18 at 01:43

Passing SSL protocol info to backend via HTTP header

1 Answers1