-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Daniel,
On 8/3/16 4:55 AM, Daniel wrote: > No, by the time the user agent or any actual http data gets to be > seen the protocol/cipher and complete ssl connection has already > been stablished. > > 2016-08-02 23:26 GMT+02:00 ghost <gh...@ghostblog.info > <mailto:gh...@ghostblog.info>>: > > Hello there, > > I was trying to show a notice page to IE6 users since my site > doesn't support SSLv3 anymore. And the problem is how to enable > SSLv3 only for IE otherwise the IE6 users won't be able to see the > page. > > I found some tricks about '<location>' in the documentation, which > allows me to set different protocol and cipher suites for > particular URL. I wonder if there is a method to set the protocol > for particular UA? > > Thanks, ghost There *is* a way to do this.. kind of. I did it long ago when we were thinking about changing our protocol support, etc. I no longer have the configuration, so I'll explain what we did: 1. Configure mod_ssl for the lowest protocol/ciphers you will support 2. Use <Directory> and/or <Location> to change the TLS protocol requirements for truly sensitive communication 3. Use mod_rewrite to check for certain protocols / ciphers and redirect to a "protocol support is being dropped" page 4. Set a cookie when the user ACKs the protocol support change It's messy, but it works. The real solution is to simply disable SSLv3 since everybody has done it already. MSIE6 can just die. - -chris -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJXqf2XAAoJEBzwKT+lPKRYfiYP/3/2pY4U3V4YFCEkpY/N7VjP uTO7PWb8f7GvNW7X0BT0RMkq1bhdw1N8lV6xWfouMgOAjwPYoHjLMHOyDFIdJUu/ 5CA77bt7k4tijXHqJE3eINY4MJZ6Z/4XC41UYeSDTJBXdVFnEW/H2kOBC8yIWaQm vQrDp5a8TEWCQ3UMU5UiBlT2X/7qAd0GK6KUW4z+PC09u/packXspZ+cfs+O7h7I JDK8rRflIqVL1jELVRrqbj6js8jTgONV9PN7ArEGrWdiZG7ARaXM5C+BO6LN1zqf qlW7tBRL6OksFaBreA4plhgCQOZjyGNb+LgXB/3xWF0Qb5fx+02Fzwdc14Cf4Im7 yIMYPAhSq+Myt9i5dFl5dustsYk39Gy9ro0gRulsXhPcrqiip6ldCHahN3sn1R03 u+HRIFIMYySmr+SKkdZK+JQ7Y/Qvtyw0RCkLReidwLhKqTkf9F3gVVcmQUqYLk7g E3UiXsioy9TMiywbE8RSKC+8E+L0OG4kv5s4EHZ11F8ja38cDqrGdXOFt1L6yk/S T801Oh4uMfJalpfTrlDUeOINB4G27G621tfZHBpjE42vO2Hle0BV2tmp9WzPDjwz 6sFCfKmn/cDT3vCiegxlsE2XtiADRPexHdoEzWm9m8ZoQGVW65ip0RkNUFcjmf2q KQZGC5YToFII1lj5wE49 =UN7o -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
