We are deprecating support for TLS 1.0 and 1.1 on our websites since they are no longer considered secure.
How can we see the % of our visitors that would be affected by this change? (i.e. those visitors that don't support TLS 1.2.)
We use Windows Server 2012 R2 w/ IIS8.
Set up a 2nd server (such as a virtual machine, or a 2nd daemon on the same host). Use a rewrite rule to reverse proxy requests for something optional to the 2nd server, like an invisible image hidden on the page. Configure the 2nd server to only allow TLS 1.2; don't hotlink to another hostname... make sure to proxy, or it won't be secure so maybe the browser will have a warning, or maybe just never load the image.
Then track the requests for the image. Clients without support should have SSL/TLS errors. Clients with support would generate some '200 OK' logs. If the log doesn't say anything useful, try proxying to some javascript instead, which can do an AJAX request to log the traffic when successful (but a script blocker may stop this).
For testing your 2nd server's ssl/tls support before you rely on logs to make sense, use a good test like nmap which can list lots of details.
nmap --script ssl-enum-ciphers example.com
I'm not aware of any way of checking server logs to see what SSL/TLS protocol was used for the connection for Windows server (its easy enough with Nginx and Apache).
So the best way I can think of doing this is if you use any analytics software (e.g. Google Analytics) which track OS and browser versions. This won't be 100% accurate (some people turn off JavaScript and/or tracking in their browsers).
Note using Google Analytics or the like is much better than trying to figure out the cryptic USER_AGENT field, though in theory that's another way of doing this and that will probably be logged in your server logs. See here for more details on how to go about doing it that way if you want: https://stackoverflow.com/questions/17798944/get-browser-name-and-version-from-iis-log-file-in-log-parser.
Once you have the browser and OS version of your visitors, you can look up this table to see if they support TLS 1.2: https://en.m.wikipedia.org/wiki/Transport_Layer_Security#Web_browsers, and that should allow you to work out a rough percentage.
You can also use the ssllabs scanning tool (https://www.ssllabs.com/ssltest/) which will scan you site to test your SSL/TLS setup - including a telling you which version of TLS and which cipher a list of reference browsers will use. Highly recommend doing this scan anyway to see the state of your SSL/TLS config.
You will be mostly concerned with older versions of IE and older versions of android.
You could also do some browser detection on your website to add a warning to these users for a month or so before you switch off TLS 1.0 and 1.1. It's very easy to have a "[if lt IE 11]" statement to include a CSS style sheet which shows a warning for older IE version However IE10 no longer supports this syntax in standards mode and it is an affected browser. Also doing this for older Android browsers is not as easy.
One possibility would be to use a reverse proxy (Squid, Apache, etc.) which can log the SSL/TLS handshake version. Alternatively, if you have a very limited (speaking of single-digit) number of webservice hosts, you could use Wireshark directly on the server to analyze the handshakes.
