1

This thread shows that it is not possible to have separate virtual sites using different SSL protocols. Here is a github issue discussion about this

What I would like to do is show a specific static page where protocol negotiation fails.

In my Apache2.4 server default.conf file I have

<IfModule mod_ssl.c>
 SSLProtocol             all -SSLv3 -TLSv1 -TLSv1.1
 SSLHonorCipherOrder     on
 SSLCompression          off
 SSLSessionTickets       off

I force use of TLSv1.2, except that I have found that some IE installs don't have TLSv1.2 enabled by default (and does have SSLv3.0 enabled...yikes), and so a user viewing my site from IE just gets a connection failed generic error, not an error generated at server end of conversation. I'd like to somehow force a static page explaining the issue and a fix for the issue.

Is this possible?

Update 1 year on Still looking for a solution that doesn't lower my site's security. I want to accept ONLY TLSv1.2 (or higher) at my web site(s), but I'd like to redirect to a set page, probably under a sub domain or completely new domain, that allows for lower security (perhaps even none) where I say something static along the lines of 'Your browser is too old to safely connect to the website. You should upgrade your browser or change to a supported browser like Chrome, Firfox, Edge (each with links)'

Surely in this modern time of strong security on web sites, and any number of compliances, this shouldn't be an issue. Anyone using a modern browser gets what delivered what I want in a secure manner, it is just those that use outdated versions of old browsers that simply get a 'cannot connect error' with no explanation or solutions offered to fix.

Matt
  • 11
  • 2
  • 1
    Of course it's not possible. If no TLS connection could be established, how do you expect to receive a HTTP request *or* send a HTTP response? – womble Nov 10 '17 at 01:46
  • What @womble said. If you disable the protocol, you utterly prevent any connections using that protocol. If you want to receive connections with some protocol, you must re-enable it. – Michael Hampton Nov 10 '17 at 02:08
  • OK so if I re-enable the protocols, can I segregate which page shows based on which protocol is used – Matt Nov 10 '17 at 02:21
  • Probably, but that's not the question you're asking at the moment. – womble Nov 10 '17 at 21:46

1 Answers1

1

The protocol in use is available to mod_rewrite through the %{SSL:whatever} variables. Of course, for this to work, you will have to reenable the offending protocols first.

The list of available SSL vars can be found here: http://httpd.apache.org/docs/current/mod/mod_ssl.html#envvars

Generally speaking, this kind of solution is a bad idea. Allowing a deprecated protocol to be used would actually cause some older browsers to stick to a bad one without switching to a good one instead. So you will actually be denying access to some users which otherwise would have been able to communicate.

  • Thanks for the response and the link I agree that it is a bad idea to reduce my security to catch these very infrequent visitors with outdated browsers. I was thinking that I'd re-direct to a static page on another domain, without any security, and that way I could keep the existing security for the other hosted websites. I just need a way to catch the failure to connects... – Matt Dec 13 '18 at 01:15