[HTTPS-Everywhere] Fwd: URGENT! BROKEN SSL MitM Vulnerability for HTTPS Everywhere --- RE: HTTPS Everywhere doesn't cover all Facebook sub domains
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Fri May 6 12:58:51 PDT 2011
On 05/06/2011 03:47 PM, Chris Palmer wrote:
> Does anyone know the Apache configuration file magic required to make Apache send an error page when people connect with SSL v2, and do send that error page only on SSL errors and not other pages?
I'm assuming you're using mod_ssl and not mod_gnutls, since gnutls
doesn't implement SSLv2 in the first place.
It looks like the variable SSL_PROTOCOL will be set to SSLv2:
https://httpd.apache.org/docs/2.2/mod/mod_ssl.html
So you should be able to combine that with mod_rewrite:
RewriteEngine On
RewriteCond %{SSL:SSL_PROTOCOL} =SSLv2
RewriteRule .* http://some.other.site/explanation-why-sslv2-is-bad
https://httpd.apache.org/docs/2.2/mod/mod_rewrite.html#rewritecond
(none of this is tested, sorry)
Of course, you'll want to make sure that SSLv2 is at the end of your
SSLCipherSuite directive so it doesn't get selected by systems that can
actually support SSLv3 or TLS.
hth,
--dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1030 bytes
Desc: OpenPGP digital signature
URL: <http://lists.eff.org/pipermail/https-everywhere/attachments/20110506/1c0cd9fe/attachment.sig>
More information about the HTTPS-everywhere
mailing list