A quick look over the source code for mod_jk and
the 1.3 connector seem to show that adding the mod_ssl environment variable
SSL_CIPHER_USEKEYSIZE would not be too hard, perhaps based on cloning the code
that implements SSL_CIPHER handling.
Can the SSL_CIPHER_USEKEYSIZE environment param be
added so that servlets can determine the key lengths used (low, medium or high
encryption)? It makes a lot of sense to be able to see this value in
connection to SSL_CIPHER since 40-bit encryption is weak no matter what SSL
cipher is being used. We'd like to be able to alert people to this and
inform them that they can upgrade their browser to have better SSL
protection. In fact, one of our customers even wants to reject people who
use few than 128bits, and while this can be done "harshly" via mod_ssl, we'd
prefer to redirect users to a page explaining things more clearly.
Thanks,
David
|