For most of my sites, I have SSL 2.0 and 3.0 successfully disabled using: "SSLProtocol all -SSLv2 -SSLv3" I can confirm this using the ssllabs scanner.
For some sites, I know only company owned systems will connect. I know that per internal policy, only the latest browsers are installed. So I can safely only allow in TLS 1.2; thereby eliminating any possible step-down attacks. When configure Apache with "SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1", it does not work as expected. Both my own testing with older browsers, and ssllabs reports that TLS 1.0 and 1.1 are still enabled. Any ideas how to configure mod_ssl to only allow TLS 1.2?