Is it possible to configure IIS to redirect based on the SSL cipher suite used for the connection?

With the announcement of POODLE, I would like my servers to accept SSL3.0 connections but have them serve a page which indicates that the user should update to a newer browser with TLS support. It seems like this should be possible as IIS should know which cipher suite is being used, but I can not figure out any way to configure this information to either allow for hosting different content or being forwarded on to the site itself to do something with.

Is there a way to make IIS either redirect based on the cipher suite used during SSL/TLS negotiation or a way to make information about the cipher suite available to the site?


SSL / TLS negotiation happens inside https.sys, outside of IIS. By the time the traffic gets to IIS all the encryption-related work has been done.

I'm not aware of any API that exposes the negotiated protocol to IIS-based applications. You could always try to grab it from another source, but I suspect that will prove dodgy, at best.

Logging Schannel success events will generate event ID 36880 events that show the negotiated parameters, but Microsoft didn't bother including the client IP address in these log entries (at least, not that I'm seeing). (That would have been nice but, yet again, Microsoft doesn't bother including IP addresses in Event Logs... Grrrr!)

You could run a packet capture into a ring buffer, looking for SSL 2.0 negotiations and logging them into some kind of persistent store. Your application could query that store, correlate the client IP address to the negotiation log, and proceed to your warning. I suppose that's a feasible practice but that really seems like a lot of work (and "moving parts") to accomplish very little. (It does sound like something fun to write, though...)