Secure Connection Handler

Purpose

ATTENTION
This handler only works on Apache web servers. If you use a web server other than Apache and enable this handler, vWAF considers requests insecure and thus denies them.

The Secure Connection Handler requires the Session Handler if an SSL session ID is to be used. In detection mode, the Secure Connection Handler is ignored.

Prevents attacks on the SSL stack on the web server (e.g. Null-Encryption is switched on by default in Apache for debugging purposes!). If the properties given in the attributes aren’t all met, vWAF denies the request with a configurable HTTP error code.

For more information regarding adding and editing Handlers, see Editing Handlers.

Severity

Events triggered by this handler are given the severity: low. (For details on severity levels, see Severity of Events Triggered by Handlers).

Recommendations for use

Activate the Secure Connection Handler for all applications that use SSL.

Attributes

Attribute Meaning

enforce ssl

When this option is enabled, vWAF denies all requests that aren't sent via SSL and that don't use at least the SSL version specified under minimal ssl version.

minimal ssl version

Specifies which SSL protocol version must at least be used by requests. If a request uses an earlier SSL version than the version selected here, vWAF denies that request.

Example: When you choose TLSv1, vWAF denies requests that are sent via SSLv2 or SSLv3 because SSLv2 and SSLv3 are earlier versions than TLSv1.

We recommend to require at least SSLv3, which is the default setting.

ATTENTION
This option even has an effect when the option enforce ssl is disabled. In this case, requests are only accepted if they aren't sent via SSL at all, or if they use at least the specified SSL version.

CipherBits

Minimum encryption level required.

ClientCert

Activate this option if the client is required to authenticate itself using a certificate (in this case, a normal login isn't sufficient).

This option is useful for highly security-relevant parts of a web application and should be set specifically for the path.

additional ciphers

Here you can specify an additional list of permitted, non-standard encryption algorithms. If an encryption algorithm is used that doesn't conform to the standard available on the web server and isn't included on that list, vWAF denies the relevant requests.

error code

HTTP error code that vWAF returns if the conditions mentioned above aren't all met.

usertext

Optional:

Here you can specify some text that vWAF adds to the log file entries created by this handler. You can use this, for example, to document why you've added the handler to your configuration, and how the handler is intended to behave.

enable logging

Disable this option if you do not want vWAF to create a log file entry when the handler is executed. This can be useful to keep log files smaller in case the handler creates a large number of entries but you don't need these entries.

When in detection mode, disabling logging de facto makes the handler ineffective. Disabling logging also prevents the actions of the handler from being taken into account for the Top-10 lists in Attack Analysis, and from being listed in Reports. To decrease the size of the log files, also consider to enable reduced logging, which excludes all non-handler-related information from the log files (see Editing Applications).

For details regarding entries added to the log file by this handler, see the relevant section in Entries in Application-Specific Log Files.