AnsweredAssumed Answered

Detecting redirects for old SSL/TLS protocol or ciphers

Question asked by iAmWill on Apr 24, 2014
Latest reply on May 15, 2015 by Lily Wilson

Hi,

 

One of the issues a server administrator has to deal with today is the support for multiple browsers that are unable to connect to your site in case you drop certain protocols or ciphers (e.g. Internet explorer on Windows XP). Especially if you use HSTS, since you'd get a lot of calls by phone of people who don't understand why the browser won't just open your website.

 

Based on the discussion going on at http://serverfault.com/questions/591188/redirect-browser-based-on-non-negotiable-ssl-tls-protocol-or-cipher the best solution at hand seems to be to redirect the browser based on the SSL/TLS protocol or cipher you actually do not want to support to some sort of 'sorry, you need to upgrade your browser' page. (If you have other options, feel welcome to respond there).

 

But  you're faced with the issue, that if you test the site here on ssllabs, you actually will still see that the protocol or cipher is supported (and get a lower grade). While you most defenitly do not expose your website to it.

 

Would it be possible in the SSLLabs test to also check if the website is actually working, or if the user just gets a browser upgrade warning?

Of course, the website should be able to add some kind of meta-data field or header so SSLLabs actually knows which page is related to this error message.

Something like (just an example, please discuss eleboratly with a full manual ):

<meta http-equiv="x-ssl-fallback-content" content="/browserupgrade-needed.html" />

or just (ab)using a current HTTP-error code like "505 HTTP Version Not Supported" or "303 See Other".


Outcomes