Apache: Handling weak browsers

Normally most webservers these days that hold sensitive information allow SSL ciphers of 128 bit or higher. However, it would be nice to redirect older browsers to a different page, suggesting that they upgrade their browser to one supporting decent encryption. This can be done in Apache with mod_rewrite and enabling lower strength ciphers. Read on to see example configuration code…

The following belongs in your SSL VirtualHost:

# if the SSL key does not contain 3 characters
RewriteCond %{SSL:SSL_CIPHER_USEKEYSIZE}  <128
# AND there were some arguments in the URL (it was followed by ?something)
RewriteCond %{QUERY_STRING} .
# Redirect to lowcrypt, passing the requested URL as an argument with the
# original args (QUERY_STRING) intact
RewriteRule .*  http://lowcrypt.gatech.edu/index.php?https://%{SERVER_NAME}%{REQUEST_URI}?%{QUERY_STRING} [R,NE,L]

# if the key does not contain 3 characters
RewriteCond %{SSL:SSL_CIPHER_USEKEYSIZE} <128
# Redirect to lowcrypt, passing the requested URL as an argument
RewriteRule .*  http://lowcrypt.gatech.edu/index.php?https://%{SERVER_NAME}%{REQUEST_URI} [R,NE,L]

# You can tweak this to your liking, but here is a rather permissive example
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv3:+SSLv2:+EXP:+eNULL

Note that to test this with firefox, I had to do the following to allow weak ciphers and disable strong ones:

  1. Point the Firefox browser to, “about:config”
  2. For filter, enter “ssl”
  3. Disable SSL v3 by setting "security.enable_ssl3 = false"
  4. Enable SSL v2 by setting "security.enable_ssl2 = true"
  5. I found that I had to go in and actually enable an SSL V2 cipher as well: "security.ssl2.rc2_40 = true"

Works great!

Apache: time-sensitive redirects, backdoor entry

Apache’s mod_rewrite can be used to do time-sensitive redirects… handy if you have to make a scheduled change at an inconvenient time. But even better, what if you need to get to the original site? This example also includes a url /backdoorthat sets a 15 min cookie, redirects to the main page, and an exclusion to not redirect anyone who has that cookie set. Cool stuff.

    RewriteEngine On
    # Start redirecting after this datetime
    RewriteCond %{TIME_YEAR}%{TIME_MON}%{TIME_DAY}%{TIME_HOUR}%{TIME_MIN} >200904040900
    # Don't redirect certain paths
    RewriteCond %{REQUEST_URI} !^/favicon.ico
    RewriteCond %{REQUEST_URI} !^/webservices
    RewriteCond %{REQUEST_URI} !^/backdoor
    # Don't redirect if backdoor cookie is active
    RewriteCond %{HTTP_COOKIE} !backdoor
    # Do the rewrite
    RewriteRule .* http://mynewhostname/ [R,L]

    # Allow back door access to old site (this site) - hit /backdoor and they get a cookie for
    # 15 mins such that they won't be redirected while it is active.
    RewriteRule ^/backdoor http://myoldhostname/ [CO=backdoor:yes:myoldhostname:15:/]