Re: ensure 128 bit encryption [update]

Thomas Binder schrieb:
>>> SSLRequire ( %{SSL_CIPHER_USEKEYSIZE} >= 128 )
>> with this option, the user gets no https connection if he has <
>> 128 bit. but the user should get a error page. so it must be
>> possible to establish a connection with <128 bit but redirected
>> to the error page.
>
> Try the following (inside ... >
> SSLOptions +StdEnvVars
> RewriteBase absolute-filesystem-path-to-directory
> RewriteCond %{ENV:SSL_CIPHER_EXPORT} "^true$"
> RewriteRule ".*" /noexport.html
>
> Now, when someone accesses your directory with an export browser,
> (s)he will be redirected to the page /noexport.html, which may
> then explain what's wrong.

Hi all,

just wanted to set up the described configuration with Apache 2.0.54
and OpenSSL 0.9.7.g, but stumbled over the environment changes which
did not jump in my face while reading the docs. Seems like the SSL
environment isn't reachable for mod_rewrite via ENV: or LA-U: prefix,
instead the prefix SSL: has to be used, described in the change report
> http://mail-archives.apache.org/mod_mbox/httpd-bugs/200408.m box/%3C20040804130814.12865.qmail@nagoya.betaversion.org%3E
Maybe Ralf could add this SSL:-prefix regarding mod_rewrite to his
excellent docs somewhere around the environment references, because
most of the existing howtos on the net do not include that new syntax.
The following lines in the global ssl environment did the trick
for our ssl hosts:

SSLOptions +StdEnvVars
RewriteEngine on
RewriteCond %{SSL:SSL_CIPHER_USEKEYSIZE} <128
RewriteCond %{REQUEST_URI} !^/error/.*$
RewriteRule .* /error/weak_encryption.html [R,L]

Greetings from Germany,
Eckard




____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org