Caddy v2 doesn’t actually support TLS 1.1 or below, meaning the TLS handshake will never complete. If the handshake doesn’t complete successfully, the browser will always display an error. So what you want to do isn’t possible with Caddy. Your users simply need to upgrade to newer clients that support secure protocols.
Indeed users need to upgrade. It’s just that, in my case, the average user is a 60 years old male, he uses the internet to do specific things, and our competitors’ websites don’t care about internet security. I therefore fear that our website might be marked dysfunctional, vis-à-vis our permissive (hence operational) competitors, long before the inevitable browser upgrade.
Mine is a bit of an edge case, I know. But I would be thrilled if, one day, Caddy supported this functionality out of the box. It would enable people like me, for example, to discontinue TLS 1.2 support early, instead of having to wait for everyone else to do it first.
I do not expect TLS 1.1 support to be re-added. My hope was that there might be room for a middle tier between supported and unsupported protocols (say deprecated protocols), of which TLS 1.2 will eventually become the first member. A simple matcher (say tls_deprecated) could then be used to redirect requests (to an informative error page). As I said, this would be a security enhancement, as it would enable Caddy users to discontinue TLS 1.2 support sooner rather than later.