Is it possible to set SSL/TLS version HTTP header with Apache which an backend application can use?

burnersk asked:

There is one service on a virtual machine with a dedicated IP that required to be accessible via SSLv3 (WinXP with IE6 clients). I moved that service several several years ago to a that virtual machine to be able to disable SSLv3 for all the other services.

I would like to notify the SSLv3 clients for that service that this service will require TLS 1.1 or higher at “some time”. That notification must not be shown on any other clients (business decision).

To achieve this I was thinking of injecting the used SSL/TLS version information on the proxies (Apache) into the original HTTP request to let the backend application conditionally place that “upgrade your system, dinosaur!” notification based on the actual used transport layer security method.

How do I configure the injection? I found the needed environment variables only when Apache is compiled with debug flags but that is not possible on production.

The final result should be that Apache Proxy is injecting the HTTP request header “X-TLS-Version: SSL3” (or “X-TLS-Version: TLS12” or familar syntax).

My answer:

Set SSLOptions +StdEnvVars and a variety of SSL/TLS-related environment variables will be set. (And you may find this value already set in your web server config, as it is in some sample configs.)

The environment variable your application will want to inspect will be SSL_PROTOCOL.

And you have all our condolences for not being able to remove IE6 and XP from your environment on time.

View the full question and any other answers on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.