I have a website that I want to allow SSL access to everything, but TLS 1.2 only to the API, and any sensitive portion of the app.
Any outdated client should go to an error page, explaining why they can't access the resource, and that "it's not us, its you" warning about an outdated browser.
How can I configure this equivalent functionality (which is present on a Netscaler BTW) in App Gateway?
I remember recommending you try that on a different thread. In hindsight i now regret it, since the documentation has no mention of any ability to detect TLS protocol version and take custom action.
However in something that has been around for longer, like nginx, this is almost trivial to accomplish:
if ($ssl_protocol != "TLSv1.2") {
return 302 https://example.com/outdated.html;
}
See this thread for a broader discussion:
https://community.qualys.com/thread/12758
Naturally the downside of your approach is that any PCI-ish security audit tool out there is going to flag you as "insecure", since you're handshaking on TLS 1.0 and 1.1.
Whatever you do, DO NOT shake hands with SSLv3, not even once.
In other news, Citrix seems to have a bring-your-own-license NetScaler offering on Azure.
