: .htaccess recipe for handling browsers without appropriate security protocols available or activated We currently use .htaccess to force all traffic coming to our sites over to https. In order
We currently use .htaccess to force all traffic coming to our sites over to https. In order to pass various security requirements we should be shutting off SSL 3.0/TLS 1.0, but a small but significant portion of our sizable audience is still using browser versions that make it problematic to shut it off without explanation.
Looking through various .htaccess recipes, I've not yet found one that can check down to the security protocol level and redirect to a different location.
The end result I'm looking for is to be able to gracefully handle those users of older browsers that either don't support TLS 1.1/1.2 or that require user interaction to do so. If we can redirect just the browsers that aren't going to work to a non-https page with information/instructions, it will save much grief.
Leaving SSL 3.0 on is not an option and neither is removing the https-only restriction for the whole website. It seems to me that we could do page-level detection but that the overhead there, compared to having apache do the lifting, seems too high.
More posts by @Goswami781
1 Comments
Sorted by latest first Latest Oldest Best
You point out that a small but significant proportion of your users are using out-dated browsers. You are never going to be able to get all users to upgrade to the latest version but you can establish a phase out period during which you can detect the security mechanisms supported by the browser. If the browser doesn't support modern technologies you can output a banner message to the browser above the site telling the end user that on such a date support for their browser will end and they need to upgrade if they wish to continue to access the site. After that date just switch off SSL3 and TLS1. After that point if a user connects with an unsupported browser they will get a server generated error message.
There is not much you can do to filter those connections before the fact as SSL is done prior to htaccess or application level rules. If you need this done at the server layer then there will be the trade off of blocking some users.
Terms of Use Create Support ticket Your support tickets Stock Market News! © vmapp.org2024 All Rights reserved.