immutabl's questions

In the light of POODLE we have an urgent requirement to turn off SSL2/3 and TLS 1.0 on our public-facing webservers. However we're a public sector body and around 5-10% of visits to our sites are made using machines running Windows XP and lower browsers and our users are not the most tech-savvy and will start flooding our helplines if they try to visit a site they use regularly only to find it is 'down'.

What we'd like to do is show a message to users of older browsers informing them that SSL2/3 is no more and advising them to upgrade OS/ browser in order to keep using your sites. However it would appear that to detect SSL2/3 we have to have SSL2/3 enabled on our servers ...

Is there some other secure way of detecting requests over SSL2/3 and reacting accordingly?

We're looking to implement two-way authentication with client certificates for a privileged subset of our application users. The idea will be that if a certificate is detected the user will be asked for an additional password/PIN and that will be used to verify the certificate and user. Ordinary users will continue to authenticate themselves via the standard login mechanism.

Our production environment (hosted by a well-known company) comprises load-balanced application servers and I'm unclear as to how this set-up will handle the certificates and I'm not certain if there are any pitfalls I should be aware of. I would very appreciate some thoughts, comments or real-world advice on the subject.

One of our apps is calling a third-party webservice which has recently been switched to a different URI. We need to investigate this to try and see where the old address is being used (the code/config has been modified to the new one already). Is there a quick and lightweight way of logging any outbound HTTP requests the server is making?

Its an ASP.Net application running on Windows 2008 Server with IIS 7.