Can I use TLSv1.0 for one client IP, TLS v1.2 for everyone else

ssl virtualhost apache-2.4

Solution 1:

Create two virtualhosts, differing only in the port that is used.

Use iptables to conditionally redirect the selected IP to the TLS 1.0 instance.

iptables -t nat -A PREROUTING -s CLIENT_OF_INTEREST -p tcp --dport 443 -j REDIRECT --to-port 344

Although, I must add that doing so would leave me feeling a bit yuck. It would be better, if at all possible, to make the client able to do TLS 1.2.

eg. if its Java, make sure you have the 'unlimited' crypto bits added on.

But I quite understand that this is not always possible.

Solution 2:

Yes, it's possible, you can set SSLProtocol directive for each virtualhost.

Sample config you posted seems to be OK but you are using default virtualhosts. You must better use IP:Port.

http://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslprotocol

https://httpd.apache.org/docs/2.4/mod/core.html#virtualhost

Related

Where do md array definitions come from?
Multiple wildcard certificates for same common name on different servers
Why is the cron ENV different from the user's ENV?
Google Chrome says my SSL uses outdated security settings but other site tests disagree [closed]
Server2k8: Prevent membership in a group based on membership in another group
Squid3 'The proxy server is refusing connections'
Enforce 15-character minimum password length on Windows
How configure environment variable with AcceptEnv
TCP sequence number randomization
How to create advanced rules with firewall-cmd?
Hyper -V 2012-R2 Expanding VHDX for VM did not expand the current file size
Use "Client Site Name" in Group Policy Preferences