Apache: Handling weak browsers

Normally most webservers these days that hold sensitive information allow SSL ciphers of 128 bit or higher. However, it would be nice to redirect older browsers to a different page, suggesting that they upgrade their browser to one supporting decent encryption. This can be done in Apache with mod_rewrite and enabling lower strength ciphers. Read on to see example configuration code…

The following belongs in your SSL VirtualHost:

# if the SSL key does not contain 3 characters
RewriteCond %{SSL:SSL_CIPHER_USEKEYSIZE}  <128
# AND there were some arguments in the URL (it was followed by ?something)
RewriteCond %{QUERY_STRING} .
# Redirect to lowcrypt, passing the requested URL as an argument with the
# original args (QUERY_STRING) intact
RewriteRule .*  http://lowcrypt.gatech.edu/index.php?https://%{SERVER_NAME}%{REQUEST_URI}?%{QUERY_STRING} [R,NE,L]

# if the key does not contain 3 characters
RewriteCond %{SSL:SSL_CIPHER_USEKEYSIZE} <128
# Redirect to lowcrypt, passing the requested URL as an argument
RewriteRule .*  http://lowcrypt.gatech.edu/index.php?https://%{SERVER_NAME}%{REQUEST_URI} [R,NE,L]

# You can tweak this to your liking, but here is a rather permissive example
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv3:+SSLv2:+EXP:+eNULL

Note that to test this with firefox, I had to do the following to allow weak ciphers and disable strong ones:

  1. Point the Firefox browser to, “about:config”
  2. For filter, enter “ssl”
  3. Disable SSL v3 by setting "security.enable_ssl3 = false"
  4. Enable SSL v2 by setting "security.enable_ssl2 = true"
  5. I found that I had to go in and actually enable an SSL V2 cipher as well: "security.ssl2.rc2_40 = true"

Works great!

Share and Enjoy:
  • Print
  • Facebook
  • Twitter
  • PDF

Leave a Reply

Your email address will not be published. Required fields are marked *