httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: [users@httpd] Is it possible to set different protocol for particular User-Agent?
Date Tue, 09 Aug 2016 15:58:15 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Daniel,

On 8/3/16 4:55 AM, Daniel wrote:
> No, by the time the user agent or any actual http data gets to be
> seen the protocol/cipher and complete ssl connection has already
> been stablished.
> 
> 2016-08-02 23:26 GMT+02:00 ghost <ghost@ghostblog.info 
> <mailto:ghost@ghostblog.info>>:
> 
> Hello there,
> 
> I was trying to show a notice page to IE6 users since my site 
> doesn't support SSLv3 anymore. And the problem is how to enable 
> SSLv3 only for IE otherwise the IE6 users won't be able to see the
> page.
> 
> I found some tricks about '<location>' in the documentation, which 
> allows me to set different protocol and cipher suites for
> particular URL. I wonder if there is a method to set the protocol
> for particular UA?
> 
> Thanks, ghost

There *is* a way to do this.. kind of. I did it long ago when we were
thinking about changing our protocol support, etc. I no longer have
the configuration, so I'll explain what we did:

1. Configure mod_ssl for the lowest protocol/ciphers you will support
2. Use <Directory> and/or <Location> to change the TLS protocol
requirements for truly sensitive communication
3. Use mod_rewrite to check for certain protocols / ciphers and
redirect to a "protocol support is being dropped" page
4. Set a cookie when the user ACKs the protocol support change

It's messy, but it works.

The real solution is to simply disable SSLv3 since everybody has done
it already. MSIE6 can just die.

- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJXqf2XAAoJEBzwKT+lPKRYfiYP/3/2pY4U3V4YFCEkpY/N7VjP
uTO7PWb8f7GvNW7X0BT0RMkq1bhdw1N8lV6xWfouMgOAjwPYoHjLMHOyDFIdJUu/
5CA77bt7k4tijXHqJE3eINY4MJZ6Z/4XC41UYeSDTJBXdVFnEW/H2kOBC8yIWaQm
vQrDp5a8TEWCQ3UMU5UiBlT2X/7qAd0GK6KUW4z+PC09u/packXspZ+cfs+O7h7I
JDK8rRflIqVL1jELVRrqbj6js8jTgONV9PN7ArEGrWdiZG7ARaXM5C+BO6LN1zqf
qlW7tBRL6OksFaBreA4plhgCQOZjyGNb+LgXB/3xWF0Qb5fx+02Fzwdc14Cf4Im7
yIMYPAhSq+Myt9i5dFl5dustsYk39Gy9ro0gRulsXhPcrqiip6ldCHahN3sn1R03
u+HRIFIMYySmr+SKkdZK+JQ7Y/Qvtyw0RCkLReidwLhKqTkf9F3gVVcmQUqYLk7g
E3UiXsioy9TMiywbE8RSKC+8E+L0OG4kv5s4EHZ11F8ja38cDqrGdXOFt1L6yk/S
T801Oh4uMfJalpfTrlDUeOINB4G27G621tfZHBpjE42vO2Hle0BV2tmp9WzPDjwz
6sFCfKmn/cDT3vCiegxlsE2XtiADRPexHdoEzWm9m8ZoQGVW65ip0RkNUFcjmf2q
KQZGC5YToFII1lj5wE49
=UN7o
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message