7

A browser that only has TLS 1.0 support won't be able to establish an HTTPS session with a server that has only TLS 1.1 and TLS 1.2 support.

This typically results in a cryptic (to a normal user) error about a cipher suite mismatch or in IE even misinforms the user.

IE 10 says,"•Make sure TLS and SSL protocols are enabled. Go to Tools > Internet Options > Advanced > Settings > Security"

IE 11 says "Turn on TLS 1.0, TLS 1.1, and TLS 1.2 in Advanced settings and try connecting to www.xyz.com again."

Is there a way to display a more informative message or page to a user in these cases that I am overlooking. I'd like to at some point disable TLS 1.0 and not have browsers that are still fairly common directing users to do things like enable SSL as that might cause them to go check all the available SSL and TLS boxes including SSL v2 and v3.

Devon Holcombe
  • 211
  • 2
  • 7
  • It is dependant on your web server. Which one are you using? – schroeder Dec 17 '14 at 23:51
  • Related: SF: [Can I give a friendly error message for connections less than TLS 1.1?](https://serverfault.com/questions/530073/can-i-give-a-friendly-error-message-for-connections-less-than-tls-1-1) – StackzOfZtuff Sep 22 '15 at 08:06

2 Answers2

2

You can't get a nice notification to the user without establishing the TLS connection first. This means that your server or some middlebox (load balancer) in between must still be able to talk TLS 1.0. But you then could then check the protocol version of the client inside your web application and show the nice notification there. But, if and how this can be done depends on your web server and application framework.

Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424
0

A good load balancer, such as a Citrix Netscaler can offload SSL and redirect traffic based on the ability to encrypt or redirect according to what is minimally acceptable.

makerofthings7
  • 50,090
  • 54
  • 250
  • 536