Warn your clients before disabling SSLv3 on Apache for POODLE

With POODLE, everyone is hurrying to disable SSLv3 on their webservers. However some sites still have clients that for whatever reason have not updated from XP / IE6 (it’s only been out 13 years, what’s the rush?) Instead of immediately locking them out you might like to give them a few days warning with some Apache 2.2 config as below:

RewriteEngine On
RewriteCond %{HTTPS} =on
RewriteCond %{SSL:SSL_PROTOCOL} =SSLv3
RewriteRule .*              http://www.webscalability.com/blog/  [L,R]

Set the RewriteRule to an explanatory page of your choosing (if it’s on the same HTTPS server, you’ll need to exclude the page to prevent a rewrite loop).

If you don’t have IE6 to hand, you can test this as below:

echo "GET /" | openssl s_client -connect yourpoodleserver.com:443 -ssl3 2>&1

Leave a Reply

Your email address will not be published. Required fields are marked *