There is one service on a virtual machine with a dedicated IP that required to be accessible via SSLv3 (WinXP with IE6 clients). I moved that service several several years ago to a that virtual machine to be able to disable SSLv3 for all the other services.
I would like to notify the SSLv3 clients for that service that this service will require TLS 1.1 or higher at "some time". That notification must not be shown on any other clients (business decision).
To achieve this I was thinking of injecting the used SSL/TLS version information on the proxies (Apache) into the original HTTP request to let the backend application conditionally place that "upgrade your system, dinosaur!" notification based on the actual used transport layer security method.
How do I configure the injection? I found the needed environment variables only when Apache is compiled with debug flags but that is not possible on production.
The final result should be that Apache Proxy is injecting the HTTP request header "X-TLS-Version: SSL3" (or "X-TLS-Version: TLS12" or familar syntax).
Best Answer
Apache's mod_ssl makes a number of environment variables available when the
SSLOptions
directive+StdEnvVars
is enabled, which includes the SSL protocol:Which you can then use as a condition to set a header when SSLv3 is used:
To always set a header with the SSL protocol the following may work:
which has a small advantage that for simple scenario's you don't need to incur the overhead of
SSLOptions +StdEnvVars
but can access certain SSL variables directly with the%{FOOBAR}s
syntax.neither was tested.