0

I'm going to include GestPay Payment in my website. It has some browser requirements

Buyer’s browsers must support TSL1.1 protocol or latest

How can I programmatically check if the browser visiting my website achieves the requirement?

In this answer the suggestion is to use external services (ssllabs.com, howsmyssl.com), but I want a self hosted solution, without external dependencies, the main reason for this are security concerns.

In this article salesforce.com exposes a test page, with Chrome Dev Tools, I've tried to disable javascript and the test works the same. So I suppose that is server-side...

Update:

Ideally I would like to allow browsers even without TSL1.1 support, then detect if the browser supports TSL1.1, if it doesn't I won't show the GestPay Payment feature.

Community
  • 1
  • 1
nulll
  • 1,465
  • 1
  • 17
  • 28

1 Answers1

0

After researching a while, this is what I understood:

In this caniuse table are listest browsers not supporting tls1.1

When a browser asks an https page, it sends the list of supported encryption protocols, the server choose the best one.

If the server doesn't allow a protocol lesser than TLS1.1, the browser won't see the page at all, for example this is IE9 behavior: IE9 behavior for un

In javascript there is no access to https certificate info.

There is no way to do a feature detection about this.

In the HTTP Headers the info is not available, neither in the PHP $_SERVER superglobal.

So you could run by your own the opensource HowsMySsl server (but to me is too overkill)

So maybe I will go with user-agent sniffing to determine if the browser is not supporting TLS1.1, even if user-agent sniffing is bad

I hope that this will help someone else out there!

nulll
  • 1,465
  • 1
  • 17
  • 28