You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by ghost <gh...@ghostblog.info> on 2016/08/02 21:26:28 UTC
[users@httpd] Is it possible to set different protocol for particular User-Agent?
Hello there,
I was trying to show a notice page to IE6 users since my site doesn't support SSLv3 anymore. And the problem is how to enable SSLv3 only for IE otherwise the IE6 users won't be able to see the page.
I found some tricks about '<location>' in the documentation, which allows me to set different protocol and cipher suites for particular URL. I wonder if there is a method to set the protocol for particular UA?
Thanks,
ghost
Re: [users@httpd] Is it possible to set different protocol for
particular User-Agent?
Posted by Erik Dobák <er...@gmail.com>.
issue should be solved by replacing management who thinks IE6 is a
good idea. no really the browser should be irrelevant in any http
solution.
On 9 August 2016 at 17:58, Christopher Schultz
<ch...@christopherschultz.net> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Daniel,
>
> On 8/3/16 4:55 AM, Daniel wrote:
>> No, by the time the user agent or any actual http data gets to be
>> seen the protocol/cipher and complete ssl connection has already
>> been stablished.
>>
>> 2016-08-02 23:26 GMT+02:00 ghost <ghost@ghostblog.info
>> <ma...@ghostblog.info>>:
>>
>> Hello there,
>>
>> I was trying to show a notice page to IE6 users since my site
>> doesn't support SSLv3 anymore. And the problem is how to enable
>> SSLv3 only for IE otherwise the IE6 users won't be able to see the
>> page.
>>
>> I found some tricks about '<location>' in the documentation, which
>> allows me to set different protocol and cipher suites for
>> particular URL. I wonder if there is a method to set the protocol
>> for particular UA?
>>
>> Thanks, ghost
>
> There *is* a way to do this.. kind of. I did it long ago when we were
> thinking about changing our protocol support, etc. I no longer have
> the configuration, so I'll explain what we did:
>
> 1. Configure mod_ssl for the lowest protocol/ciphers you will support
> 2. Use <Directory> and/or <Location> to change the TLS protocol
> requirements for truly sensitive communication
> 3. Use mod_rewrite to check for certain protocols / ciphers and
> redirect to a "protocol support is being dropped" page
> 4. Set a cookie when the user ACKs the protocol support change
>
> It's messy, but it works.
>
> The real solution is to simply disable SSLv3 since everybody has done
> it already. MSIE6 can just die.
>
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Comment: GPGTools - http://gpgtools.org
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iQIcBAEBCAAGBQJXqf2XAAoJEBzwKT+lPKRYfiYP/3/2pY4U3V4YFCEkpY/N7VjP
> uTO7PWb8f7GvNW7X0BT0RMkq1bhdw1N8lV6xWfouMgOAjwPYoHjLMHOyDFIdJUu/
> 5CA77bt7k4tijXHqJE3eINY4MJZ6Z/4XC41UYeSDTJBXdVFnEW/H2kOBC8yIWaQm
> vQrDp5a8TEWCQ3UMU5UiBlT2X/7qAd0GK6KUW4z+PC09u/packXspZ+cfs+O7h7I
> JDK8rRflIqVL1jELVRrqbj6js8jTgONV9PN7ArEGrWdiZG7ARaXM5C+BO6LN1zqf
> qlW7tBRL6OksFaBreA4plhgCQOZjyGNb+LgXB/3xWF0Qb5fx+02Fzwdc14Cf4Im7
> yIMYPAhSq+Myt9i5dFl5dustsYk39Gy9ro0gRulsXhPcrqiip6ldCHahN3sn1R03
> u+HRIFIMYySmr+SKkdZK+JQ7Y/Qvtyw0RCkLReidwLhKqTkf9F3gVVcmQUqYLk7g
> E3UiXsioy9TMiywbE8RSKC+8E+L0OG4kv5s4EHZ11F8ja38cDqrGdXOFt1L6yk/S
> T801Oh4uMfJalpfTrlDUeOINB4G27G621tfZHBpjE42vO2Hle0BV2tmp9WzPDjwz
> 6sFCfKmn/cDT3vCiegxlsE2XtiADRPexHdoEzWm9m8ZoQGVW65ip0RkNUFcjmf2q
> KQZGC5YToFII1lj5wE49
> =UN7o
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Is it possible to set different protocol for
particular User-Agent?
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Daniel,
On 8/3/16 4:55 AM, Daniel wrote:
> No, by the time the user agent or any actual http data gets to be
> seen the protocol/cipher and complete ssl connection has already
> been stablished.
>
> 2016-08-02 23:26 GMT+02:00 ghost <ghost@ghostblog.info
> <ma...@ghostblog.info>>:
>
> Hello there,
>
> I was trying to show a notice page to IE6 users since my site
> doesn't support SSLv3 anymore. And the problem is how to enable
> SSLv3 only for IE otherwise the IE6 users won't be able to see the
> page.
>
> I found some tricks about '<location>' in the documentation, which
> allows me to set different protocol and cipher suites for
> particular URL. I wonder if there is a method to set the protocol
> for particular UA?
>
> Thanks, ghost
There *is* a way to do this.. kind of. I did it long ago when we were
thinking about changing our protocol support, etc. I no longer have
the configuration, so I'll explain what we did:
1. Configure mod_ssl for the lowest protocol/ciphers you will support
2. Use <Directory> and/or <Location> to change the TLS protocol
requirements for truly sensitive communication
3. Use mod_rewrite to check for certain protocols / ciphers and
redirect to a "protocol support is being dropped" page
4. Set a cookie when the user ACKs the protocol support change
It's messy, but it works.
The real solution is to simply disable SSLv3 since everybody has done
it already. MSIE6 can just die.
- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBCAAGBQJXqf2XAAoJEBzwKT+lPKRYfiYP/3/2pY4U3V4YFCEkpY/N7VjP
uTO7PWb8f7GvNW7X0BT0RMkq1bhdw1N8lV6xWfouMgOAjwPYoHjLMHOyDFIdJUu/
5CA77bt7k4tijXHqJE3eINY4MJZ6Z/4XC41UYeSDTJBXdVFnEW/H2kOBC8yIWaQm
vQrDp5a8TEWCQ3UMU5UiBlT2X/7qAd0GK6KUW4z+PC09u/packXspZ+cfs+O7h7I
JDK8rRflIqVL1jELVRrqbj6js8jTgONV9PN7ArEGrWdiZG7ARaXM5C+BO6LN1zqf
qlW7tBRL6OksFaBreA4plhgCQOZjyGNb+LgXB/3xWF0Qb5fx+02Fzwdc14Cf4Im7
yIMYPAhSq+Myt9i5dFl5dustsYk39Gy9ro0gRulsXhPcrqiip6ldCHahN3sn1R03
u+HRIFIMYySmr+SKkdZK+JQ7Y/Qvtyw0RCkLReidwLhKqTkf9F3gVVcmQUqYLk7g
E3UiXsioy9TMiywbE8RSKC+8E+L0OG4kv5s4EHZ11F8ja38cDqrGdXOFt1L6yk/S
T801Oh4uMfJalpfTrlDUeOINB4G27G621tfZHBpjE42vO2Hle0BV2tmp9WzPDjwz
6sFCfKmn/cDT3vCiegxlsE2XtiADRPexHdoEzWm9m8ZoQGVW65ip0RkNUFcjmf2q
KQZGC5YToFII1lj5wE49
=UN7o
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Is it possible to set different protocol for
particular User-Agent?
Posted by Daniel <df...@gmail.com>.
No, by the time the user agent or any actual http data gets to be seen the
protocol/cipher and complete ssl connection has already been stablished.
2016-08-02 23:26 GMT+02:00 ghost <gh...@ghostblog.info>:
> Hello there,
>
> I was trying to show a notice page to IE6 users since my site doesn't
> support SSLv3 anymore. And the problem is how to enable SSLv3 only for IE
> otherwise the IE6 users won't be able to see the page.
>
> I found some tricks about '<location>' in the documentation, which allows
> me to set different protocol and cipher suites for particular URL. I wonder
> if there is a method to set the protocol for particular UA?
>
> Thanks,
> ghost
>
--
*Daniel Ferradal*
IT Specialist
email dferradal at gmail.com
linkedin es.linkedin.com/in/danielferradal