apachessltls1.2mod-ssltls1.0

Apache: Allow TLS 1.0 for one host while forcing all others to use 1.2?


Is there a way to configure Apache mod_ssl to allow TLS 1.0 for one particular IP while enforcing TLS 1.2 for all other IPs? I need to support connections from one legacy system that only supports TLS 1.0 but I would like to not completely open up TLS 1.0 for every host. I am aware of IP spoofing and such, but a IP based restriction - if that is possible - seems to be the best compromise until the legacy system gets replaced.


Solution

  • There are 2 ways to solve your problem, depending on how exactly behaves your client, or depending on your preferences (native Apache with Allow directive, or Rewrite based)

    You need to know if the client supports SNI or not (a capture of the handshake would answer to this question). Most of clients support it, even for TLS 1.0, but as it is a legacy system, maybe it doesn't.

    If SNI isn't supported, you can declare two Virtual Hosts, the idea is to send all legacy requests to the first VH (with TLS 1.0 support), and the 2nd VH will answer to others. The IP checking is done by an Allow directive :

    NameVirtualHost *:443
    SSLStrictSNIVHostCheck off
    
    # For the legacy
    <VirtualHost *:443>
      DocumentRoot /var/www/html
      ServerName unknown
    
      SSLProtocol TLSv1
      <Directory "/var/www/html">
        Order Deny,Allow
        Deny from all
        Allow from 192.168.1.50 # your legacy ip
      </Directory>
    </VirtualHost>
    
    # For all others
    <VirtualHost *:443>
      DocumentRoot /var/www/html
      ServerName my.domain.com
    
      SSLProtocol TLSv1.2
      <Directory "/var/www/html">
        Order Deny,Allow
        Allow from all
      </Directory>
    </VirtualHost>
    

    If SNI is allowed we can solve the problem with RewriteCond. I believe it takes more CPU, because using RewriteEngine, but the solution 1 could be replaced by this one too. You need Rewrite and Remoteip modules enabled.

    NameVirtualHost *:443
    SSLStrictSNIVHostCheck on
    
    # For all others
    <VirtualHost *:443>
      DocumentRoot /var/www/html
      ServerName my.domain.com
    
      SSLProtocol TLSv1 TLSv1.2
    
      RewriteEngine On
      RewriteCond %{SSL:SSL_PROTOCOL} ^TLSv1$
      RewriteCond %{REMOTE_ADDR} !"192.168.1.50" #your legacy ip
      RewriteRule .* "-" [F]
    
      <Directory "/var/www/html">
        Order Deny,Allow
        Allow from all
      </Directory>
    </VirtualHost>
    

    Let us know the result.