We are deprecating support for TLS 1.0 and 1.1 on our websites since they are no longer considered secure.
How can we see the % of our visitors that would be affected by this change? (i.e. those visitors that don't support TLS 1.2.)
We use Windows Server 2012 R2 w/ IIS8.
Best Answer
Set up a 2nd server (such as a virtual machine, or a 2nd daemon on the same host). Use a rewrite rule to reverse proxy requests for something optional to the 2nd server, like an invisible image hidden on the page. Configure the 2nd server to only allow TLS 1.2; don't hotlink to another hostname... make sure to proxy, or it won't be secure so maybe the browser will have a warning, or maybe just never load the image.
Then track the requests for the image. Clients without support should have SSL/TLS errors. Clients with support would generate some '200 OK' logs. If the log doesn't say anything useful, try proxying to some javascript instead, which can do an AJAX request to log the traffic when successful (but a script blocker may stop this).
For testing your 2nd server's ssl/tls support before you rely on logs to make sense, use a good test like nmap which can list lots of details.