Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id 1F777200B61 for ; Tue, 9 Aug 2016 17:58:52 +0200 (CEST) Received: by cust-asf.ponee.io (Postfix) id 1DDC1160AA5; Tue, 9 Aug 2016 15:58:52 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id 67D0D160A6B for ; Tue, 9 Aug 2016 17:58:51 +0200 (CEST) Received: (qmail 128 invoked by uid 500); 9 Aug 2016 15:58:50 -0000 Mailing-List: contact users-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: users@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list users@httpd.apache.org Received: (qmail 118 invoked by uid 99); 9 Aug 2016 15:58:50 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd3-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 09 Aug 2016 15:58:49 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd3-us-west.apache.org (ASF Mail Server at spamd3-us-west.apache.org) with ESMTP id 833E2180BD4 for ; Tue, 9 Aug 2016 15:58:49 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd3-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: 0.713 X-Spam-Level: X-Spam-Status: No, score=0.713 tagged_above=-999 required=6.31 tests=[KAM_LAZY_DOMAIN_SECURITY=1, NO_RDNS_DOTCOM_HELO=0.433, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01] autolearn=disabled Received: from mx1-lw-eu.apache.org ([10.40.0.8]) by localhost (spamd3-us-west.apache.org [10.40.0.10]) (amavisd-new, port 10024) with ESMTP id uDURknROR_fJ for ; Tue, 9 Aug 2016 15:58:45 +0000 (UTC) Received: from vms173017pub.verizon.net (vms173017pub.verizon.net [206.46.173.17]) by mx1-lw-eu.apache.org (ASF Mail Server at mx1-lw-eu.apache.org) with ESMTPS id 01F275F1D5 for ; Tue, 9 Aug 2016 15:58:45 +0000 (UTC) Received: from vz-proxy-l002.mx.aol.com ([64.236.82.148]) by vms173017.mailsrvcs.net (Oracle Communications Messaging Server 7.0.5.32.0 64bit (built Jul 16 2014)) with ESMTPA id <0OBN004WWGD4CN00@vms173017.mailsrvcs.net> for users@httpd.apache.org; Tue, 09 Aug 2016 10:58:16 -0500 (CDT) X-CMAE-Score: 0 X-CMAE-Analysis: v=2.1 cv=WcjxEBVX c=1 sm=1 tr=0 a=hkQRW7prCrFMEwk2DGUM9Q==:117 a=IkcTkHD0fZMA:10 a=7z1cN_iqozsA:10 a=wrL9a6GFAAAA:8 a=j4nzMFrpAAAA:8 a=QfKxxUxMAAAA:8 a=MSOJaV5HFQjvyRG7FaIA:9 a=gJ1iUIAq0C8t2ft0:21 a=ohLhK2lh_LMW8Hdm:21 a=QEXdDO2ut3YA:10 Received: by 71.127.40.115 with SMTP id 34ec8b32; Tue, 09 Aug 2016 15:58:16 GMT To: users@httpd.apache.org References: From: Christopher Schultz Message-id: <6072b000-bccd-e61e-a70e-5c557502af88@christopherschultz.net> Date: Tue, 09 Aug 2016 11:58:15 -0400 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:45.0) Gecko/20100101 Thunderbird/45.2.0 MIME-version: 1.0 In-reply-to: Content-type: text/plain; charset=utf-8 Content-transfer-encoding: 7bit Subject: Re: [users@httpd] Is it possible to set different protocol for particular User-Agent? archived-at: Tue, 09 Aug 2016 15:58:52 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Daniel, On 8/3/16 4:55 AM, Daniel wrote: > No, by the time the user agent or any actual http data gets to be > seen the protocol/cipher and complete ssl connection has already > been stablished. > > 2016-08-02 23:26 GMT+02:00 ghost >: > > Hello there, > > I was trying to show a notice page to IE6 users since my site > doesn't support SSLv3 anymore. And the problem is how to enable > SSLv3 only for IE otherwise the IE6 users won't be able to see the > page. > > I found some tricks about '' in the documentation, which > allows me to set different protocol and cipher suites for > particular URL. I wonder if there is a method to set the protocol > for particular UA? > > Thanks, ghost There *is* a way to do this.. kind of. I did it long ago when we were thinking about changing our protocol support, etc. I no longer have the configuration, so I'll explain what we did: 1. Configure mod_ssl for the lowest protocol/ciphers you will support 2. Use and/or to change the TLS protocol requirements for truly sensitive communication 3. Use mod_rewrite to check for certain protocols / ciphers and redirect to a "protocol support is being dropped" page 4. Set a cookie when the user ACKs the protocol support change It's messy, but it works. The real solution is to simply disable SSLv3 since everybody has done it already. MSIE6 can just die. - -chris -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJXqf2XAAoJEBzwKT+lPKRYfiYP/3/2pY4U3V4YFCEkpY/N7VjP uTO7PWb8f7GvNW7X0BT0RMkq1bhdw1N8lV6xWfouMgOAjwPYoHjLMHOyDFIdJUu/ 5CA77bt7k4tijXHqJE3eINY4MJZ6Z/4XC41UYeSDTJBXdVFnEW/H2kOBC8yIWaQm vQrDp5a8TEWCQ3UMU5UiBlT2X/7qAd0GK6KUW4z+PC09u/packXspZ+cfs+O7h7I JDK8rRflIqVL1jELVRrqbj6js8jTgONV9PN7ArEGrWdiZG7ARaXM5C+BO6LN1zqf qlW7tBRL6OksFaBreA4plhgCQOZjyGNb+LgXB/3xWF0Qb5fx+02Fzwdc14Cf4Im7 yIMYPAhSq+Myt9i5dFl5dustsYk39Gy9ro0gRulsXhPcrqiip6ldCHahN3sn1R03 u+HRIFIMYySmr+SKkdZK+JQ7Y/Qvtyw0RCkLReidwLhKqTkf9F3gVVcmQUqYLk7g E3UiXsioy9TMiywbE8RSKC+8E+L0OG4kv5s4EHZ11F8ja38cDqrGdXOFt1L6yk/S T801Oh4uMfJalpfTrlDUeOINB4G27G621tfZHBpjE42vO2Hle0BV2tmp9WzPDjwz 6sFCfKmn/cDT3vCiegxlsE2XtiADRPexHdoEzWm9m8ZoQGVW65ip0RkNUFcjmf2q KQZGC5YToFII1lj5wE49 =UN7o -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org For additional commands, e-mail: users-help@httpd.apache.org