Forum Discussion

bsm1970's avatar
bsm1970
Icon for Nimbostratus rankNimbostratus
Mar 19, 2019

Block page for TLSv1.x or SSL connections

We have a web page/application that we want to reject connections from any client not using at least TLSv1.2. The way we were planning on doing that was to do this in IIS on the server. It would disallow access to the application and display a banner directing them to update their browser and/or OS to a more recent version. But it appears that since TLS is terminating on the F5, when the server-side TLS connection is established to IIS, it's preferring TLSv1.2 and IIS is never seeing the 1.0/1.1 or SSLv3 connections and thus no banner is displayed.

 

I'd like to block everything but TLSv1.2 at the F5 but also be able to display a page that explains that they need to update their browser rather than them just getting a generic "cannot connect to page" type of response. Not sure the best/easiest way to do this - would it be with an iRule or some block page via LTM policy? I've never done this before so any help would be appreciated.