Require Modern TLS - Custom Message or Redirect

kit.barker · 2018-04-05 11:18:19 UTC

Hello,

I want to use ‘Require Modern TLS’ feature for my site. Seems to work as expected, however from a user perspective it may be confusing.

When a user hits the site with an out-dated browser, they receive a bit of an ugly looking message, that might confuse them. Ideally, I would like to redirect users or server them a custom message.

Is there a way of doing this with Cloudflare ?
If I were to do this at Apache level - would this be seen as a vulnerability by Netcraft or others ?

Thanks

michael · 2018-04-05 13:17:41 UTC

You should investigate using Workers to do this.

I would question what threat you are looking to mitigate here. If you serve a custom error message to the user using an old (and potentially vulnerable) TLS version, then the attacker can just as easily replace the error with anything they like and the user does not know what has happened.

If Cloudflare do serve a custom error message, should it have a 426 status like this?

 HTTP/1.1 426 Upgrade Required
 Upgrade: TLS/1.2, HTTP/1.1
 Connection: Upgrade

An intermediate solution would be to use the Better Browser app, and prompt your users to upgrade their browser while still allowing old TLS versions.

kit.barker · 2018-04-05 14:12:36 UTC

Thanks for your reply Michael, that is helpful.

I am happy to do something similar to the ‘Better Browser’ option, but will probably do my own custom version.

I am looking at the workers and they do seem very promising - just need to figure out how to grab the current connecting protocol of the users browser then redirect if not up to 1.2

Anyone else know how to get the tls version from user agent ?

michael · 2018-04-05 19:46:31 UTC

User-Agent will not provide the TLS version. (Not reliably anyway).

Workers are executed before the cache, so they are really your only chance to get the TLS version, and my instinct says it should be available as a parameter. I don’t see it in the documentation, but somebody from CF might answer this thread.

kit.barker · 2018-04-10 08:59:55 UTC

Thanks again Michael.

After spending sometime with the workers (which are awesome ), I have come to a dead end as the TLS info just isn’t available (or at least I couldn’t find it).

I tried a different approach in my apache .confd by adding in the SSLOptions.

TLS Sniffer

SSLOptions +StdEnvVars

This worked well locally, but looks like when going through cloudflare, I just get cloudflare’s TLS 1.2 and not that of the browser.

Any ideas if cloudflare could pass through the browsers SSLOptions.

Regards

system · 2018-04-19 11:18:25 UTC

This topic was automatically closed after 14 days. New replies are no longer allowed.