I had the <If> in the <VirtualHost> context, where also the SSLCipherSuite is defined. As I understand, the Clients jumps in the Virtualhost context before TLS handshake because of SNI, so it should be theoretically possible to process the <If> in the virtualhost context before handshake. But I had old non-SNI-cpable clients, too, so that would not have worked either, with non-SNI I guess you are right. We will do now another way to get the old clients out of the way to be able to disable old weak ciphers in the vhost. Thank you. > Gesendet: Donnerstag, 25. Februar 2021 um 12:40 Uhr > Von: "Yann Ylavic" <ylavic.dev@xxxxxxxxx> > An: users@xxxxxxxxxxxxxxxx > Betreff: Re: Re: Set SSLCipherSuite dependent on client IP > > On Wed, Feb 24, 2021 at 6:01 PM Hildegard Meier <daku8938@xxxxxx> wrote: > > > > I thought about something like that as cause, but since the client IP is known from the very first start of the request, before TLS handshake, I thought it could be evaluated. > > Yes but to determine the context from which the <If> takes place > (VirtualHost, directory, location..), the server needs to know the > request header, thus negotiate TLS with the user-agent already. > Chicken and egg.. > > Regards; > Yann. > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx > For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx > > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|