We will be turning off support for browsers that only support TLS1.0
When we turn off support for TLS 1.0 on our web server can we redirect browsers that don't support TLS 1.1 or higher to a http page explaining why they don't have access and what they can do about it?
Many users will already have our https:// in their favourites so we can't assume they will go to the http site first where we could display a message to unsupported browsers or forward supported browsers on to the secure site.
When we turn off support for TLS 1.0 on our web server can we redirect browsers that don't support TLS 1.1 or higher to a http page explaining why they don't have access and what they can do about it?
No. Once you turn off support for TLS 1.0 on your web server your visitors with ancient browsers won't be able to connect anymore, so you can't redirect them.
Also: if you use HSTS you probably won't be able to redirect to a plain HTTP page under your own domain. (Although if their browsers don't support TLS 1.1 or more recent they probably won't honour HSTS either, so that's not a problem.)
Instead: before switching off TLS 1.0 support you can start to log how many clients are still using old ciphers and make an informed impact analyses with something along the lines of:
CustomLog logs/ssl_cipher_log \ "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%{User-agent}i\""
Also/additionally you can use the SSL environment variable SSL_PROTOCOL (SSLv3, TLSv1, TLSv1.1, TLSv1.2) to create a mod_rewrite rule to detect old ciphers and for instance redirect those requests (not tested) :
RewriteCond %{SSL:SSL_PROTOCOL} =SSLv3 [OR]
RewriteCond %{SSL:SSL_PROTOCOL} =TLSv1
RewriteRule (.*) http://%{SERVER_NAME}/unsupported_tls_version.html [L,R=302]
This is not possible.
HTTPS creates a secure connection first and then it uses that secure connection to send and receive HTTP messages on that secure connection (including redirects).
No common ciphers/TLS version means no connection and hence no HTTP messages.
HTTPS does not offer a fall back when a secure connection cannot be made as it would be an attack vector to block a secure HTTPS connection.
With that reasoning aside @Hbruijn gives good advice on how to measure and therefore try to minimise the impact.
As TLSv1 removal becomes common (as mandated by PCI compliance) more and more sites will be turning this off and users will likely get this message a lot and so should take the hint. So the impacted user base should be small and obvious.
As the primary impact (for browsing at least) is likely to be IE10 you can also add something like the following to the top of your page for a while before removing TLSv1 support.
<!--[if lt IE 11]>
<p class=“old-ie”>
We notice you are using an old version of Internet Explorer that is shortly due to be unsupported on this site. Please upgrade to be able to continue to use this site.
</p>
<![endif]-->
This uses the special IE specific if tags and then you can style as appropriate to make it a big, red obvious warning.
Old Android is another likely candidate (which above will not help with) but since 4.4 the Chrome Webview (which does support TLSv1.2) is the default so hopefully most Android users should be unaffected.
Other than that, for most western sites anyway, it’s usually bots, scanners and other such tools rather than real traffic.
