diff --git a/cmd/derper/derper.go b/cmd/derper/derper.go
index d7007ed78..748fa333f 100644
--- a/cmd/derper/derper.go
+++ b/cmd/derper/derper.go
@@ -51,9 +51,11 @@ var (
 )
 
 var (
-	stats           = new(metrics.Set)
-	stunDisposition = &metrics.LabelMap{Label: "disposition"}
-	stunAddrFamily  = &metrics.LabelMap{Label: "family"}
+	stats             = new(metrics.Set)
+	stunDisposition   = &metrics.LabelMap{Label: "disposition"}
+	stunAddrFamily    = &metrics.LabelMap{Label: "family"}
+	tlsRequestVersion = &metrics.LabelMap{Label: "version"}
+	tlsActiveVersion  = &metrics.LabelMap{Label: "version"}
 
 	stunReadError  = stunDisposition.Get("read_error")
 	stunNotSTUN    = stunDisposition.Get("not_stun")
@@ -67,6 +69,8 @@ var (
 func init() {
 	stats.Set("counter_requests", stunDisposition)
 	stats.Set("counter_addrfamily", stunAddrFamily)
+	stats.Set("tls_request_version", tlsRequestVersion)
+	stats.Set("gauge_tls_active_version", tlsActiveVersion)
 	expvar.Publish("stun", stats)
 }
 
@@ -238,6 +242,23 @@ func main() {
 			return cert, nil
 		}
 		httpsrv.Handler = http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			if r.TLS != nil {
+				label := "unknown"
+				switch r.TLS.Version {
+				case tls.VersionTLS10:
+					label = "1.0"
+				case tls.VersionTLS11:
+					label = "1.1"
+				case tls.VersionTLS12:
+					label = "1.2"
+				case tls.VersionTLS13:
+					label = "1.3"
+				}
+				tlsRequestVersion.Add(label, 1)
+				tlsActiveVersion.Add(label, 1)
+				defer tlsActiveVersion.Add(label, -1)
+			}
+
 			// Set HTTP headers to appease automated security scanners.
 			//
 			// Security automation gets cranky when HTTPS sites don't