I am hosting a website on AWS and want to disable traffic coming from any cipher other than TLS 1.2. This is easy to do on the ELB, but want to create a custom 'landing page' for those users who need to update their browser to visit the site.

I found this article Is it possible to show a static page if all ELB registered instances are down? which seems to offer something similar, but not exactly the same functionality.


You can't reject a connection (due to non-TLSv1.2) and at the same time accept a connection in order to display an error message. Either you accept it or not accept it, you can't have it both ways.

However you can accept all connections on the TCP/SSL level and in Apache or in Nginx or in the application check for the protocol used and redirect to an error page if the TLS version is not TLS 1.2.

In Apache it can be achieved with this mod_rewrite rule:

RewriteCond %{SSL:SSL_PROTOCOL} !"TLSv1.2"
RewriteRule (.*) http://%{SERVER_NAME}/error_page.html [L,R=302]

Refer to mod_rewrite and mod_ssl for details.

That unfortunately doesn't work with AWS ELB because there your server doesn't talk to the client directly and the SSL session is terminated on the ELB. However in that case you can use the new AWS Network Load Balancer that forwards the raw TCP traffic to your load-balaced EC2 instances and it's your servers' responsibility to negotiate the SSL protocol with the clients. In that case your servers will have all the info about the TLS protocol used and you can use the checks as described above.

Hope that helps :)