Can I configure IIS to listen to many, yet different cipher configurations of TLS?

Question

I need to programmatically determine the TLS features of a client and underlying host based on Javascript.

What webserver instance (apache, IIS, etc), allows for different configurations of SSL ciphers to be loaded under different hostnames?

In this use-case, all clients support SNI. The only difference is that I want to make some pages read-only under old ciphers, and full access if using a modern browser.

My plan is to ask everyone to go to app.example.com, which will make a GET request to "legacy.example.com" and also "secure.example.com". If the secure connection succeeds, then we will proceed to that endpoint via a javascript induced redirect.

What webserver technology allows for this, and if I can do it under IIS, that is preferred.

AFAIK, IIS does not support different ciphers for different sites, it's a machine wide change. — Peter Hahndorf, Apr 19 '17 at 02:33

score 1 · Answer 1 · answered Apr 21 '17 at 22:04

To answer the IIS portion of your question:

By default, Windows has only one set of Ciphers and Protocols supported for ALL server operations (and another for all client operations). So, for IIS, all websites on the server support the same Ciphers and Protocols.

The currently enabled ciphers are stored in the registry. So, you could query the info from the registry.

You can also use IIS Crypto (https://www.nartac.com/Products/IISCrypto) to see the currently enabled Ciphers and Protocols.

Can I configure IIS to listen to many, yet different cipher configurations of TLS?

1 Answers1