5

I am hosting a website on AWS and want to disable traffic coming from any cipher other than TLS 1.2. This is easy to do on the ELB, but want to create a custom 'landing page' for those users who need to update their browser to visit the site.

I found this article Is it possible to show a static page if all ELB registered instances are down? which seems to offer something similar, but not exactly the same functionality.

Chri3
  • 151
  • 2
  • 1
    You can't simultaneously deny negotiation of older TLS versions *and* provide a response... but there is no fallback mechanism for passing HTTP if you aren't going to negotiate TLS. Incompatible objectives, don't you think? – Michael - sqlbot Sep 06 '17 at 03:13
  • hi @Michael-sqlbot I agree, but there must be a way of showing a nicer error message than a default 'cannot connect' for those users who would need to update their browsers? – Chri3 Sep 06 '17 at 08:11
  • 2
    With HAProxy doing SSL, you can inject headers that the app can see, that provide the negotiated TLS version and cipher... so you can allow other TLS versions at the socket, then test the header in the back-end. ELB and ALB don't seem to have that capability. So a Classic ELB in TCP mode with HAProxy behind it handling the SSL offloading is the only workaround I am aware of. Nginx can probably do something similar, but again only if it is handling the SSL, not the balancer. – Michael - sqlbot Sep 06 '17 at 12:27

1 Answers1

1

You can't reject a connection (due to non-TLSv1.2) and at the same time accept a connection in order to display an error message. Either you accept it or not accept it, you can't have it both ways.

However you can accept all connections on the TCP/SSL level and in Apache or in Nginx or in the application check for the protocol used and redirect to an error page if the TLS version is not TLS 1.2.

In Apache it can be achieved with this mod_rewrite rule:

RewriteCond %{SSL:SSL_PROTOCOL} !"TLSv1.2"
RewriteRule (.*) http://%{SERVER_NAME}/error_page.html [L,R=302]

Refer to mod_rewrite and mod_ssl for details.

That unfortunately doesn't work with AWS ELB because there your server doesn't talk to the client directly and the SSL session is terminated on the ELB. However in that case you can use the new AWS Network Load Balancer that forwards the raw TCP traffic to your load-balaced EC2 instances and it's your servers' responsibility to negotiate the SSL protocol with the clients. In that case your servers will have all the info about the TLS protocol used and you can use the checks as described above.

Hope that helps :)

MLu
  • 23,798
  • 5
  • 54
  • 81