redirecting users part 2

redirecting users part 2

am 19.08.2002 12:27:47 von Jeroen Vriesman

Hi,

I'm trying to redirect users who don't have enough encryption capabilities for 128 bit (see previous mail).

I've tried the following (but it doesn't work):


Add upgrade.html (the text users with old browsers are supposed to get) to index:

DirectoryIndex index.html index.htm Index.html Index.htm INDEX.HTML INDEX.HTM upgrade.html


Initiallay allow all strengths:

SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+SSLv2:+EXP:+eNULL

And then:


SSLRequire %{SSL_CIPHER_USEKEYSIZE} < 128



SSLRequire %{SSL_CIPHER_USEKEYSIZE} >= 128


But it doesn't work, any idea why it doesn't work?

Cheers,
Jeroen.
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

RE: redirecting users part 2

am 19.08.2002 14:18:20 von Boyle Owen

I don't have the time to investigate this fully in the context of SSL but from a general understanding of how apache combines nested directives like this, I think you might need to change the order of the Location containers. The rules for combining directives are a bit complicated and (I have to say) not entirely well-documented. I think you need to consider the line in sections.html document (look for a link in docs from the doc):

"... each group is processed in the order that they appear in the configuration files ..."

This would imply that apache loads the rule for /upgrade.html then overrides it with the rule for /. I am assuming here that "order" refers to the order in which apache reads data from the config during startup and not the order in which applies directives to incoming requests...

Confused? Me too...

Rgds,

Owen Boyle
>-----Original Message-----
>From: Jeroen Vriesman [mailto:jeroen@experian.nl]
>Sent: Montag, 19. August 2002 12:28
>To: modssl-users@modssl.org
>Subject: redirecting users part 2
>
>
>Hi,
>
>I'm trying to redirect users who don't have enough encryption
>capabilities for 128 bit (see previous mail).
>
>I've tried the following (but it doesn't work):
>
>
>Add upgrade.html (the text users with old browsers are
>supposed to get) to index:
>
>DirectoryIndex index.html index.htm Index.html Index.htm
>INDEX.HTML INDEX.HTM upgrade.html
>
>
>Initiallay allow all strengths:
>
>SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+SSLv2:+EXP:+eNULL
>
>And then:
>
>
> SSLRequire %{SSL_CIPHER_USEKEYSIZE} < 128
>
>
>
> SSLRequire %{SSL_CIPHER_USEKEYSIZE} >= 128
>
>
>But it doesn't work, any idea why it doesn't work?
>
>Cheers,
>Jeroen.
>___________________________________________________________ ___________
>Apache Interface to OpenSSL (mod_ssl) www.modssl.org
>User Support Mailing List modssl-users@modssl.org
>Automated List Manager majordomo@modssl.org
>
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org