Show custom message( jsp page) to users that use old browsers with no TLS 1.2 support

Question

I want to remove older versions of TLS and ciphers from my app(deployed on tomcat server 8.5.32) that is java 8 based application.

I have users using older browsers/operating systems and they will not be able to access the app(TLS 1.0and TLS 1.1).

I want to catch these people and redirect them to a different app page to show a nicer message to the customers.

Is anyone able to suggest a way this can be achieved?

I have a proposal by stackoverflow member to using a set of rewrite rules from the Rewrite Valve(https://tomcat.apache.org/tomcat-8.5-doc/rewrite.html) as this one allows conditions on %{SSL:variable} and then i would redirect the browser to a dedicated URL.

Anyone already have tried this?

Answer 1

You cannot do this. The TLS connection happens first, then any HTTP or application level protocol can use this connection.

So once you disable older TLS versions, anything that does not support TLS on your site cannot connect, and so cannot receive any instructions to go somewhere else.

This leaves you with a number of options:

1. Measure in advance to see the impact before turning off older protocols by logging this in your web server logs. IMHO very few browsers will be affected (only really old ones) but you may find some services that don’t work if you have internal, non-browser apps.

2. Redirect to a warning page before turning it off, if you see you are on old version. After a while turn it off.

3. Leave it on for some routes (e.g. the main page), but don’t allow it access to more sensitive routes (basically a variant of option 2 above).

4. Turn it off and see who complains.