I was looking to drop all support for the SSLv3 due to POODLE, but found that there are still some people coming from old browsers for the likes of IE on Windows XP.
How do I detect these SSLv3-only users from within nginx, and redirect them to some helper page with further instructions?
I definitely need no workarounds to keep these users using insecure browsers.
And I'll be especially happy if I could do the same thing to all non-SNI browsers: SSLv3 doesn't come with SNI, so if I could redirect non-SNI browsers, it'll solve SSLv3 problem too.
Answer
Putting aside the issue of leaving SSLv3 enabled, you can simply instruct nginx to redirect based on whether the SSLv3 protocol is being used:
if ($ssl_protocol = SSLv3) {
rewrite ^ /poodle-doodle.html;
}
You can test this from a shell:
$ wget --secure-protocol=SSLv3 -O - $SERVER_URL
# or
$ curl -v -3 $SERVER_URL
No comments:
Post a Comment