Can I give a friendly error message for connections less than TLS 1.1?

Just an idea:

Perhaps an plain HTTP landing page that very clearly states that they will not be able to proceed with anything less than TLS 1.1, with a button or link on that page that then takes them to the HTTPS site.

Better yet, just have some JavaScript on the HTTP page that attempts to pull a resource from your secure server. If the image or whatever doesn't show up, then we know that the user will not be able to use your site. Like this guy: giantgeek.com/blog/?p=89

"If you do not see the image below, your browser is not compatible with this site..."

I mean you don't have to explain to the users the history of SSL and TLS, just say "your browser is not compatible with this site" or something.

Edit 2015-09-22: No longer "hardware only"

Citrix has updated their virtual NetScalers.

• Citrix Systems, Inc., 2015-06-03, Release Notes for Build 57.7 of NetScaler 10.5 Release

  The NetScaler VPX appliance now supports TLS protocol versions 1.1 and 1.2.

Old answer

You can do this with a Citrix NetScaler. But only with the HARDWARE version. The VM version does not support TLS1.1 and upwards.

The way to do this is this: You disallow all TLS1.0/SSL-suites. Then all you are left with are the suites introduced with TLS1.1 and upwards.

Then you use the feature called "CipherRedirect". This will allow a connection with an unwanted cipher, but then redirect to a custom error page.

• Citrix documentation: http://support.citrix.com/proddocs/topic/netscaler-ssl-93/ns-ssl-config-cipher-redirect-tsk.html
• This may raise red flags during security audits if the auditor does not know about this: "False Positives in SSL Security Scanners for Weak Cipher-Strength on NetScaler", http://support.citrix.com/article/CTX119993