Hi!
On Tue, Jul 02, 2002 at 10:14:35AM +0100, [EMAIL PROTECTED] wrote:
> However, I think you might be able to connect users with a lower
> cipher to a different document root and from there direct them
> elsewhere. I recall this being raised before, so look in the
> archive of this list.
I've done this using mod_rewrite. For example, to redirect
browsers connecting with only export cipher strengths:
<Directory /path/to/special/directory>
SSLOptions +StdEnvVars
RewriteEngine on
RewriteCond %{ENV:SSL_CIPHER_EXPORT} "^true$"
RewriteRule ".*" /noexport.html [L]
</Directory>
Or to redirect browsers not connecting with at least 100 bit
effective key size:
<Directory /path/to/special/directory>
SSLOptions +StdEnvVars
RewriteEngine on
RewriteCond %{ENV:SSL_CIPHER_USEKEYSIZE} "!^[0-9]{3}"
RewriteRule ".*" /keytoosmall.html [L]
</Directory>
Note that the URIs you redirect to (here: /noexport.html and
/keytoosmall.html) have to live outside /path/to/special/directory
(or inside a subdirectory which has RewriteEngine off).
Of course, having StdEnvVars set for certain directories lowers
the performance, but I see no other way to check for cipher
parameters without letting the handshake fail.
Ciao
Thomas
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
