Sunday, December 27, 2015

ssl - Redirect users connecting with SSLv3 within nginx



I was looking to drop all support for the SSLv3 due to POODLE, but found that there are still some people coming from old browsers for the likes of IE on Windows XP.



How do I detect these SSLv3-only users from within nginx, and redirect them to some helper page with further instructions?



I definitely need no workarounds to keep these users using insecure browsers.



And I'll be especially happy if I could do the same thing to all non-SNI browsers: SSLv3 doesn't come with SNI, so if I could redirect non-SNI browsers, it'll solve SSLv3 problem too.


Answer




Putting aside the issue of leaving SSLv3 enabled, you can simply instruct nginx to redirect based on whether the SSLv3 protocol is being used:



if ($ssl_protocol = SSLv3) {
rewrite ^ /poodle-doodle.html;
}


You can test this from a shell:



$ wget --secure-protocol=SSLv3 -O - $SERVER_URL

# or
$ curl -v -3 $SERVER_URL

No comments:

Post a Comment

linux - How to SSH to ec2 instance in VPC private subnet via NAT server

I have created a VPC in aws with a public subnet and a private subnet. The private subnet does not have direct access to external network. S...