Redirect IE8 from HTTPS to HTTP using mod_rewrite in Apache when TLSv1 is disabled

Question

I currently have the below rules in my .htaccess file:

# Redirect MSIE <9 to HTTP site    
RewriteCond %{HTTPS} =on
RewriteCond %{HTTP_USER_AGENT} "MSIE [6-8]" [NC]
RewriteRule ^(.*)$         http://www.website.com/$1 [L,R]

# Enforce www unless MSIE 8 is in the user agent
RewriteCond %{HTTP_HOST}   !^www\.website\.com$ [NC]
RewriteCond %{HTTP_USER_AGENT} ^((?!MSIE\ 8).)*$ [NC]
RewriteRule ^(.*)$         https://www.website.com/$1 [L,R]

# Force SSL unless MSIE 8  is in the user agent
RewriteCond %{HTTPS} !=on
RewriteCond %{HTTP_USER_AGENT} ^((?!MSIE\ 8).)*$ [NC]
RewriteCond %{HTTP_HOST}   ^www\.website\.com [NC]
RewriteRule ^(.*)$         https://www.website.com/$1 [L,R]

This works. The problem is, if the URL followed is https://www.website.com in IE8 the SSL handshake fails immediately and no redirecting can be done.

This is because TLSv1 has been disabled on the server in light of recent security flaws. Is there any route in which IE8 can still access the site? Or at least receive a usable error message? As it is now they simply see a message saying they cannot connect.

See these posts for solution, that might help you: https://serverfault.com/questions/389806/redirect-to-ssl-only-if-browser-supports-sni http://stackoverflow.com/questions/11701800/detecting-sni-server-name-indication-browser-support-in-javascript — look, Oct 21 '16 at 12:00

Redirect IE8 from HTTPS to HTTP using mod_rewrite in Apache when TLSv1 is disabled

0 Answers0