向使用不支持 TLS 1.2 的旧浏览器的用户显示自定义消息(jsp 页面)
Show custom message( jsp page) to users that use old browsers with no TLS 1.2 support
我想从我的基于 java 8 的应用程序(部署在 tomcat 服务器 8.5.32 上)中删除旧版本的 TLS 和密码。
我有用户使用较旧的 browsers/operating 系统,他们将无法访问该应用程序(TLS 1.0 和 TLS 1.1)。
我想抓住这些人并将他们重定向到不同的应用程序页面,以便向客户显示更好的信息。
有谁能提出实现这一目标的方法吗?
我有一个 Whosebug 成员的提议,使用来自 Rewrite Valve(https://tomcat.apache.org/tomcat-8.5-doc/rewrite.html) 的一组重写规则,因为这个规则允许 %{SSL:variable} 上的条件,然后我将浏览器重定向到专用 URL。
有人试过这个吗?
你不能这样做。 The TLS connection happens first, then any HTTP or application level protocol can use this connection.
So once you disable older TLS versions, anything that does not support TLS on your site cannot connect, and so cannot receive any instructions to go somewhere else.
This leaves you with a number of options:
Measure in advance to see the impact before turning off older protocols by logging this in your web server logs. IMHO very few browsers will be affected (only really old ones) but you may find some services that don’t work if you have internal, non-browser apps.
Redirect to a warning page before turning it off, if you see you are on old version. After a while turn it off.
Leave it on for some routes (e.g. the main page), but don’t allow it access to more sensitive routes (basically a variant of option 2 above).
Turn it off and see who complains.
我想从我的基于 java 8 的应用程序(部署在 tomcat 服务器 8.5.32 上)中删除旧版本的 TLS 和密码。
我有用户使用较旧的 browsers/operating 系统,他们将无法访问该应用程序(TLS 1.0 和 TLS 1.1)。
我想抓住这些人并将他们重定向到不同的应用程序页面,以便向客户显示更好的信息。
有谁能提出实现这一目标的方法吗?
我有一个 Whosebug 成员的提议,使用来自 Rewrite Valve(https://tomcat.apache.org/tomcat-8.5-doc/rewrite.html) 的一组重写规则,因为这个规则允许 %{SSL:variable} 上的条件,然后我将浏览器重定向到专用 URL。
有人试过这个吗?
你不能这样做。 The TLS connection happens first, then any HTTP or application level protocol can use this connection.
So once you disable older TLS versions, anything that does not support TLS on your site cannot connect, and so cannot receive any instructions to go somewhere else.
This leaves you with a number of options:
Measure in advance to see the impact before turning off older protocols by logging this in your web server logs. IMHO very few browsers will be affected (only really old ones) but you may find some services that don’t work if you have internal, non-browser apps.
Redirect to a warning page before turning it off, if you see you are on old version. After a while turn it off.
Leave it on for some routes (e.g. the main page), but don’t allow it access to more sensitive routes (basically a variant of option 2 above).
Turn it off and see who complains.