There is one service on a virtual machine with a dedicated IP that required to be accessible via SSLv3 (WinXP with IE6 clients). I moved that service several several years ago to a that virtual machine to be able to disable SSLv3 for all the other services.
I would like to notify the SSLv3 clients for that service that this service will require TLS 1.1 or higher at "some time". That notification must not be shown on any other clients (business decision).
To achieve this I was thinking of injecting the used SSL/TLS version information on the proxies (Apache) into the original HTTP request to let the backend application conditionally place that "upgrade your system, dinosaur!" notification based on the actual used transport layer security method.
How do I configure the injection? I found the needed environment variables only when Apache is compiled with debug flags but that is not possible on production.
The final result should be that Apache Proxy is injecting the HTTP request header "X-TLS-Version: SSL3" (or "X-TLS-Version: TLS12" or familar syntax).
Apache's mod_ssl makes a number of environment variables available when the
SSLOptionsdirective+StdEnvVarsis enabled, which includes the SSL protocol:Which you can then use as a condition to set a header when SSLv3 is used:
To always set a header with the SSL protocol the following may work:
which has a small advantage that for simple scenario's you don't need to incur the overhead of
SSLOptions +StdEnvVarsbut can access certain SSL variables directly with the%{FOOBAR}ssyntax.neither was tested.
Set
SSLOptions +StdEnvVarsand a variety of SSL/TLS-related environment variables will be set. (And you may find this value already set in your web server config, as it is in some sample configs.)The environment variable your application will want to inspect will be
SSL_PROTOCOL.And you have all our condolences for not being able to remove IE6 and XP from your environment on time.