Need to test for TLS1.2 support of IE browser

Since we have shutdown the SSLV3 cypher on our web site, our stats are dropping and we'd like to alert IE browsers on how to quickly rectify, so they can shop our site.

Since IE's advanced settings are not enabled by default for TLS1.2, I'm looking to determine if there is a way to alert users with these browsers to FAQ on how to enable?  I have a Barracuda WebApp 460 handling certificates for my IIS server farm, and was curious if a ReWrite can be triggered here, as the browsers never make it to my web site.  

I'm sure this is a common complaint.

Thanks,
David
okiebugAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

btanExec ConsultantCommented:
if the machine is online accessible to internet, can can check out below using their browser and it will show the crypto and if it supports TLS1.2, you should see the top msg showing
Your user agent has good protocol support.
Your user agent supports TLS 1.2, which is the best available protocol version at the moment.
https://www.ssllabs.com/ssltest/viewMyClient.html

That is for browser, and for testing the site there is a equivalent https://www.ssllabs.com/ssltest/index.html as well as api to call https://www.ssllabs.com/projects/ssllabs-apis/index.html, more commonly the tool such as “openssl s_client” can be used to grab the webpage to test

 e.g. openssl s_client -connect example.com:443 -ssl3
The above failed if ssl3 is disabled with error such as

3073927320:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1258:SSL alert number 40
3073927320:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:596:

For the cipher check, openssl listed as in https://www.openssl.org/docs/apps/ciphers.html

Here is a good ref for the example and also nmap and sslscan is another candidate for test tool https://www.owasp.org/index.php/Testing_for_SSL-TLS_(OWASP-CM-001)
Dave BaldwinFixer of ProblemsCommented:
??  Only IE11 supports TLS 1.2.   IE10, 9, 8 only support TLS 1.0.
btanExec ConsultantCommented:
On the browser support, see
TLS 1.1 and 1.2 supported, but disabled by default: Internet Explorer (8–10 for Windows 7 / Server 2008 R2, 10 for Windows 8 / Server 2012, IE Mobile 10 for Windows Phone 8)

TLS 1.1 and 1.2 not supported: Internet Explorer (6-8 for Windows Server 2003, 7–9 for Windows Vista / Server 2008), Safari 6 for Mac OS X 10.8
from wiki https://en.wikipedia.org/wiki/Transport_Layer_Security#Web_browsers

Besides verifying client browser and website really supporting the intended crypto. I am thinking the condition for redirect is for that with SSLv3/SSLv2 must be disabled completely, leaving all TLS versions enabled, but show a warning for TLS 1.0 and 1.1. TLS 1.2 goes as per normal. TLS 1.2 can be restrictive to the client browser unless browser is of latest build.

However, redirect to a page for warning or error may be more suited based on response code from the server and using that serves out that maintenance page and probably add in that link to ssllab to test the client browser and they will see the "warning" instead.

But we have to be wary that browsers also can (often) do insecure fallbacks to older protocol versions if a connection fails. E.g. an attacker force many browsers that support TLS 1.2 to fall back to SSL 3. This is vulnerable to POODLE and related weak cipher block chaining including recently the FREAK (use of EXPORT of weak key size).

In fact with redirect, meaning the browser is attempting to negotiate an insecure connection with your server, attacker can exploit this and intercept that establishment to their own malicious page. Probably just serve out a maintenance page and advise them to check their browser using the ssllab...maybe you can have a custom error code or use existing as required (can be find out testing out failure to see what is send from your webserver first...). For iis, the http error codes are available https://support.microsoft.com/en-us/kb/943891

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Discover the Answer to Productive IT

Discover app within WatchGuard's Wi-Fi Cloud helps you optimize W-Fi user experience with the most complete set of visibility, troubleshooting, and network health features. Quickly pinpointing network problems will lead to more happy users and most importantly, productive IT.

okiebugAuthor Commented:
I have attached image of the desired behavior for browsers that do not support the cypher.  It clearly states that our site wants to assist the user and provides link to instructions and a request to come back after performing changes.  
I use IE 11 and F1Example of desired behavior2=Dev Tools to simulate the versions 9,10 after disabling TLS1.2 and TLS1.1, so we are all set.  I was curious to know if any of you had performed a redirect at your firewall appliance based on a condition of nonTLS1.2 support for the browser.
Thanks for the links, going to close this as works as designed.   Why or why would MS default to no enabling this in those earlier browsers.
gheistCommented:
That is what browser shows internally.
You need to change SSL toolkit to allow weak negotiation with redirect (and unwillingly let POODLE and LOGJAM in)
btanExec ConsultantCommented:
you do not redirect at FW but probably at the Web Proxy or equv Appl Delivery controller (ADC) for outbound traffic. but do you really want to have a weaker client machine connected into the WWW, SSL3 and below need to be disabled as we already discussed and share on the "hole" and vulnerability that already have published exploits on these weak cipher. At most tls1.0 enabled is the lowest you can go for business running.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
SSL / HTTPS

From novice to tech pro — start learning today.