Apache redirect user if they are using SSLv3

Question

I'd like to redirect any users on our site if they try to use SSLv3 (if I just disable SSLv3 and a browser like IE6 comes along, I couldn't seem to properly redirect it to an http version of our site with an error message - so I'd like to allow SSLv3, but redirect if they are using it to an error message).

I think I want something like the following:

RewriteCond %{SSL_PROTOCOL} SSLv3
RewriteRule (.*) http://%{SERVER_NAME}/mysite/unsupported_browser.html

Unfortunately, %{SSL_PROTOCOL} always seems to be empty. I'm using Apache 2.2.15 in Centos 6 32 bit. SSL works just fine for the website normally (i.e. https://mysite/mysite/unsupported_browser.html works fine).

there seems to be a bunch of variables that are supposed to be availalbe, but are empty for me (http://httpd.apache.org/docs/2.2/mod/mod_ssl.html).

Anyone have any ideas what I can do?

score 2 · Answer 1 · answered Oct 20 '14 at 09:16

2

The solutions for this is:

RewriteCond %{SSL:SSL_PROTOCOL} ^SSLv3$
RewriteRule (.*) http://%{SERVER_NAME}/unsupported_browser.html [L,R=302]

This works for me :)

answered Oct 20 '14 at 09:16

Plamen Vasilev

121

score 0 · Answer 2 · answered Oct 17 '14 at 04:24

According to IBM[1], you should be able to interrogate ENV:SSL_PROTOCOL_VERSION environment variable, which should be exported by mod_ssl.

That said, it might be better[2] to only support TLSv1 and later, and have a custom error-page to inform that they need to switch to a browser that support TLS1 or later.

[1]: "http://publib.boulder.ibm.com/httpserv/ihsdiag/ssl_questions.html#REWRITESSL"

[2]: Better, as in not having to make rewrite decisions that are computationally costly, when the fall-through to a static error page is less expensive to your server

Apache redirect user if they are using SSLv3

2 Answers2

Linked