2

For security reasons, I want to block all TLS connections older than TLS1.1. I also want to give a friendly error message for users who use less than TLS 1.1 on my site. Is there any way to accomplish this in IIS or Windows?

Assuming the answer is no, what are some other methods I can achieve this?

makerofthings7
  • 8,911
  • 34
  • 121
  • 197
  • Yes, though most people don't know (business users, etc) what TLS is, so I'll probably have specific browser recommendations. This may get hairy if the user is going through a SSL proxy that isn't as modern as the browser they are using. – makerofthings7 Aug 10 '13 at 15:40

2 Answers2

1

Just an idea:

Perhaps an plain HTTP landing page that very clearly states that they will not be able to proceed with anything less than TLS 1.1, with a button or link on that page that then takes them to the HTTPS site.

Better yet, just have some JavaScript on the HTTP page that attempts to pull a resource from your secure server. If the image or whatever doesn't show up, then we know that the user will not be able to use your site. Like this guy: giantgeek.com/blog/?p=89

"If you do not see the image below, your browser is not compatible with this site..."

I mean you don't have to explain to the users the history of SSL and TLS, just say "your browser is not compatible with this site" or something.

Ryan Ries
  • 55,481
  • 10
  • 142
  • 199
1

Edit 2015-09-22: No longer "hardware only"

Citrix has updated their virtual NetScalers.

Old answer

You can do this with a Citrix NetScaler. But only with the HARDWARE version. The VM version does not support TLS1.1 and upwards.

The way to do this is this: You disallow all TLS1.0/SSL-suites. Then all you are left with are the suites introduced with TLS1.1 and upwards.

Then you use the feature called "CipherRedirect". This will allow a connection with an unwanted cipher, but then redirect to a custom error page.

StackzOfZtuff
  • 1,842
  • 13
  • 21