Error page on SSL negotiation failure

We're updating our nginx config to remove some older/less secure cypher suites.

For the overwhelming majority of cases this shouldn't cause any issues, however, older versions of Windows (and very early versions of Windows 10) will not be able to negotiate a connection as there will be no cipher suites in common.

We're taking a "secure by default" approach but will allow users to downgrade the security of their deployment if the change causes them issues.

My question is ...

Can I get nginx to redirect to an error page if SSL negotiation fails?

[presumably over HTTP, although I could live with running a different, insecure, server/config to serve a single error file]

I note CloudFlare have adopted HTTP 525 to indicate "SSL negotiation failed" but in their case, they're 2-hop and are thus reporting their own failure to connect downstream, rather than handling a failure to connect to cloudflare itself, so I can't see any easy way to leverage this (plus it's non-standard).

Solution 1:

Short answer - no.

Redirection is an HTTP thing. This happens after SSL/TLS negoatiation has complete succesfully.

If you include an insecure cyphers in ssl_ciphers (make sure you set this up so the strong ones are preferred - i.e. first in the list) then your old clients will still be able to connect and your webserver will be able to talk to them. From that point it may be possible to define a different behaviour based on $ssl_cypher

Something long the lines of (NB not tested)

if ($ssl_cipher = "DES-CBC3-SHA" ) {
    rewrite  (.*)  https://insecure.com$1;
}