Redirection of pre-TLS 1.2 requests

1. Caddy version (caddy version):


2. How I run Caddy:

a. System environment:

Debian Buster

b. Command:

systemctl start caddy

c. Service/unit/compose file:


ExecStart=/usr/bin/caddy run --environ --config /etc/caddy/Caddyfile
ExecReload=/usr/bin/caddy reload --config /etc/caddy/Caddyfile


d. My complete Caddyfile or JSON config:

	servers {
		max_header_size 64KB
		protocol {
		timeouts {
			idle 30s
			read_body 30s
			read_header 30s
			write 30s

(kiss) {
	header {
		expect-ct "enforce, max-age=9999"
		permissions-policy "camera=(), microphone=()"
		referrer-policy strict-origin-when-cross-origin
		strict-transport-security "max-age=63072000; includesubdomains; preload"
		x-content-type-options nosniff
		x-frame-options deny
		x-xss-protection "1; mode=block"

(main) {
	@end_slash path_regexp xx (.+)/$
	@live_server not path /file_server/*
	handle_errors {
		header content-security-policy "base-uri 'none'; default-src 'self'; form-action 'none'; frame-ancestors 'none'; frame-src 'none'; object-src 'none'; script-src 'sha256-●●●●●'; style-src 'sha256-●●●●●'"
		import kiss
		rewrite * /file_server/maintenance.v1.html
	import kiss
	redir @end_slash {http.regexp.xx.1} 308
	root * /etc/caddy
} {
	import kiss
	redir{uri} 308
} {
	@unauthorized not header ●●●●● ●●●●●
	import main
	respond @unauthorized "The request is understood but has been refused by the proxy server." 403
	reverse_proxy @live_server
} {
	import main
	reverse_proxy @live_server

3. The problem I’m having:

I would like to redirect all TLS 1.1 and earlier requests to an error page, so that the user gets some feedback as to why he / she cannot access my website. Is this at all possible with Caddy?

4. Error messages and/or full log output:


5. What I already tried:

I could not find any relevant information.

6. Links to relevant resources:

Perhaps not very helpful, but an old example using nginx is described in this stackoverflow post:

Caddy v2 doesn’t actually support TLS 1.1 or below, meaning the TLS handshake will never complete. If the handshake doesn’t complete successfully, the browser will always display an error. So what you want to do isn’t possible with Caddy. Your users simply need to upgrade to newer clients that support secure protocols.


While this is correct, I want to clarify that Caddy can do this, but you’d have to manually patch in support for TLS 1.1:

A one-line change would make it possible. I don’t recommend this, but in your case if you give a helpful error message on TLS 1.1 then I suppose I won’t judge. :slight_smile:

1 Like

Great responsiveness Francis and Matt, thank you!

Indeed users need to upgrade. It’s just that, in my case, the average user is a 60 years old male, he uses the internet to do specific things, and our competitors’ websites don’t care about internet security. I therefore fear that our website might be marked dysfunctional, vis-à-vis our permissive (hence operational) competitors, long before the inevitable browser upgrade.

Mine is a bit of an edge case, I know. But I would be thrilled if, one day, Caddy supported this functionality out of the box. It would enable people like me, for example, to discontinue TLS 1.2 support early, instead of having to wait for everyone else to do it first.

That would be a security regression, so the chances of Caddy changing to re-add TLS 1.1 support is close to zero.

Like Matt said, your best bet is to make a custom build of Caddy that enables it. The good news is that building Caddy is very easy since it’s written in Go.

I do not expect TLS 1.1 support to be re-added. My hope was that there might be room for a middle tier between supported and unsupported protocols (say deprecated protocols), of which TLS 1.2 will eventually become the first member. A simple matcher (say tls_deprecated) could then be used to redirect requests (to an informative error page). As I said, this would be a security enhancement, as it would enable Caddy users to discontinue TLS 1.2 support sooner rather than later.

This topic was automatically closed after 30 days. New replies are no longer allowed.