mmmmmmmmm,

Yes/No, and

1. today you can restrict the vhost to prevent use of TLS1.0 and 1.1, and
2. soon Apigee will disable TLS1.0 and TLS1.1 for all SaaS customers (more info here), and
3. also soon, you WILL BE able to determine the negotiated protocol and cipher via context variables

If you manage your own Edge instance, then you can look in the MP log to determine this information. If you are on Edge SaaS, then no, you cannot determine this information. Right now, regardless whether you use Edge SaaS or self-managed Edge, it is not possible within the policies of your Apigee Edge proxy to discern at runtime what TLS protocol (1.0, 1.1, 1.2, etc) or cipher (eg ECDHE-RSA-AES128-GCM-SHA256) was used in the connection between the client and the proxy.

Today, again regardless whether you use Edge SaaS or self-managed Edge, you can configure the vhost to disallow TLS1.0 and TLS1.1. Look here for how to do that.

If you are using the Edge SaaS, soon your question will be moot; Apigee will unilaterally disable TLS1.0 and TLS1.1 in the coming weeks. You or your orgadmin should have received notice of this impending change. This is being done just to keep your APIs secure; we know that TLS1.2 is suitable and TLS1.0/1.1 are dis-recommended. By forcing this, we're making sure people are staying secure.

And finally, in June, we expect to ship a new feature that will allow . your API proxies, at runtime, to inspect the variables tls.protocol and tls.cipher, to allow you to determine the pertinent information for the TLS session. This feature will be available int he customer-managed version of Edge shortly thereafter, likely in the 18.09 release.

Stay tuned to the release notes for full details on this.