setting SSL/TLS protocol version according to URL path or specific service in apache(mod_ssl)

Question

I want to set "force to use TLS 1.2" in my server httpd-ssl.conf

SSLProtocol -all +TLSv1.2

but I'm also considering if some client modules does not support TLS 1.2, and I would like to give it a exception that TLS 1.x can be acceptable.

Am I able to do such thing?
e.g. disable TLS_1.2 restriction in specific URL path ( https:///specific/path/ ) or specific service or something like this.

thanks!

score 1 · Answer 1 · answered Oct 07 '16 at 10:44

1

The path component is only known after a successful TLS handshake. Additionaly multiple HTTP request (with different path) can be done within the same TCP connection. While in theory the server could first allow the TLS handshake with an older protocol version and then drop the connection if the client uses the established TLS session to access a path which requires a better TLS version I don't think that this can be configured in Apache.

answered Oct 07 '16 at 10:44

Steffen Ullrich

114,247
10
131
172

yah I think you're right, seems using path is not a good idea. thanks! – Freeman Oct 11 '16 at 01:51

score 0 · Answer 2 · edited Feb 20 '21 at 19:54

This might help for APACHE: https://httpd.apache.org/docs/trunk/ssl/ssl_howto.html

How can I create an SSL server which accepts many types of ciphers in general, but requires a strong cipher for access to a particular URL? Obviously, a server-wide SSLCipherSuite which restricts ciphers to the strong variants, isn't the answer here. However, mod_ssl can be reconfigured within Location blocks, to give a per-directory solution, and can automatically force a renegotiation of the SSL parameters to meet the new configuration. This can be done as follows:

# be liberal in general -- use Mozilla's "Intermediate" ciphersuites (weaker
# ciphersuites may also be used, but will not be documented here)
SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS

<Location "/strong/area">
# but https://hostname/strong/area/ and below requires strong ciphersuites
SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
</Location>

setting SSL/TLS protocol version according to URL path or specific service in apache(mod_ssl)

2 Answers2