Apache: Handling weak browsers

Tuesday, April 28 2009 @ 04:42 PM CDT

Contributed by: nat

Normally most webservers these days that hold sensitive information allow SSL ciphers of 128 bit or higher. However, it would be nice to redirect older browsers to a different page, suggesting that they upgrade their browser to one supporting decent encryption. This can be done in Apache with mod_rewrite and enabling lower strength ciphers. Read on to see example configuration code...

The following belongs in your SSL VirtualHost: 

# if the SSL key does not contain 3 characters
RewriteCond %  <128
# AND there were some arguments in the URL (it was followed by ?something)
RewriteCond % .
# Redirect to lowcrypt, passing the requested URL as an argument with the
# original args (QUERY_STRING) intact
RewriteRule .*  http://lowcrypt.gatech.edu/index.php?https://%%?% [R,NE,L]

# if the key does not contain 3 characters
RewriteCond % <128
# Redirect to lowcrypt, passing the requested URL as an argument
RewriteRule .*  http://lowcrypt.gatech.edu/index.php?https://%% [R,NE,L]

# You can tweak this to your liking, but here is a rather permissive example
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv3:+SSLv2:+EXP:+eNULL
Note that to test this with firefox, I had to do the following to allow weak ciphers and disable strong ones:
  1. Point the Firefox browser to, "about:config"
  2. For filter, enter "ssl"
  3. Disable SSL v3 by setting "security.enable_ssl3 = false"
  4. Enable SSL v2 by setting "security.enable_ssl2 = true"
  5. I found that I had to go in and actually enable an SSL V2 cipher as well: "security.ssl2.rc2_40 = true"
Works great!

0 comments


/article.php/2009042816420279