Re: TLS 1.0 Backing Down to SSL 3.0
Fought, Richard schrieb: I'm trying to configure my Apache 2.0.59 server w/ mod_ssl to use TLS 1.0 only. I have set the SSLCipherSuite accordingly, however when I connect with IE6 with SSLv3 enabled and TLSv1 disabled, I still get through because of the TLS ability to back down to SSL 3.0. Is there a way to disable this behavior in the configuration? Hi Richard, if no config rules work maybe the fastest way to achive your goal are redirects depending on the current client protocol spoken. For example, redirecting every browser not communicating via TLS to an extra error page: SSLOptions +StdEnvVars RewriteEngine on RewriteCond %{SSL:SSL_PROTOCOL} !TLSv1 RewriteCond %{REQUEST_URI} !^/error/.*$ RewriteRule .* /error/no_tls_encryption.html [R,L] Did not test this myself, see further details on http://www.modssl.org/docs/2.8/ssl_reference.html#ToC25 and http://httpd.apache.org/docs/2.2/de/mod/mod_rewrite.html#rewritecond Greetings from Germany, Eckard __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
RE: TLS 1.0 Backing Down to SSL 3.0
Hi Richard, if no config rules work maybe the fastest way to achive your goal are redirects depending on the current client protocol spoken. For example, redirecting every browser not communicating via TLS to an extra error page: SSLOptions +StdEnvVars RewriteEngine on RewriteCond %{SSL:SSL_PROTOCOL} !TLSv1 RewriteCond %{REQUEST_URI} !^/error/.*$ RewriteRule .* /error/no_tls_encryption.html [R,L] Did not test this myself, see further details on http://www.modssl.org/docs/2.8/ssl_reference.html#ToC25 and http://httpd.apache.org/docs/2.2/de/mod/mod_rewrite.html#rewritecond Greetings from Germany, Eckard __ Eckard, Thanks for the excellent suggestion but I found the solution. I was focusing on SSLCipherSuite so much that I completely missed the SSLProtocol directive. It is not included in the default config and thus apparently defaults to all. Setting this to TLSv1 only yields the expected results - clients are not allowed to connect. Your solution does present a more elegant result in that this page can be used to inform the user that they need to enable TLSv1 in their browser, or use one that supports TLS. Regards, Rich __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
TLS 1.0 Backing Down to SSL 3.0
Hello, I'm trying to configure my Apache 2.0.59 server w/ mod_ssl to use TLS 1.0 only. I have set the SSLCipherSuite accordingly, however when I connect with IE6 with SSLv3 enabled and TLSv1 disabled, I still get through because of the TLS ability to back down to SSL 3.0. Is there a way to disable this behavior in the configuration? Thanks, Rich __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]