4

I was looking to drop all support for the SSLv3 due to POODLE, but found that there are still some people coming from old browsers for the likes of IE on Windows XP.

How do I detect these SSLv3-only users from within nginx, and redirect them to some helper page with further instructions?

I definitely need no workarounds to keep these users using insecure browsers.

And I'll be especially happy if I could do the same thing to all non-SNI browsers: SSLv3 doesn't come with SNI, so if I could redirect non-SNI browsers, it'll solve SSLv3 problem too.

Community
  • 1
sanmai
  • 561

2 Answers2

4

Putting aside the issue of leaving SSLv3 enabled, you can simply instruct nginx to redirect based on whether the SSLv3 protocol is being used:

if ($ssl_protocol = SSLv3) {
  rewrite ^ /poodle-doodle.html;
}

You can test this from a shell:

$ wget --secure-protocol=SSLv3 -O - $SERVER_URL
# or
$ curl -v -3 $SERVER_URL
plasmid87
  • 2,118
0

I'm no expert with nginx config, but it should be possible to have a setup for a specific host name and additionally a default setup for all other requests. The setup for the name based host will automatically be used with https if the client uses SNI and the hostname given in SNI matches the configuration. In all other cases, that is different hostname, TLS clients without SNI and clients with SSL 3.0 (which does not support SNI) the default setup gets used so that you can serve different information there. This default setup then can do all the warnings you want to issue to older clients.

This way you could also use different certificates, like give all SNI clients a certificate signed with SHA-256 but the others only one signed with SHA-1, because these older clients might not support SHA-256 yet.

Edit: according to the comments from Xavier Lucas it will only use the certificate settings from the default (non-SNI) configuration, but the other settings depend on the Host header. This means no different document root for non-SNI clients.

Steffen Ullrich
  • 14,265