I have an IBM AIX machine running IBM HTTP Server version 8.5.5.0 which was recently configured to use TLS 1.2. Per corporate policy my server is supposed to use TLS 1.2, but for compatibility purposes we also have TLS 1.1 enabled. Testing with OpenSSL using openssl s_client -connect ihs8server.example.com:443 -tls1_2 reveals that the server is accepting TLS 1.2 connections properly. However, when I connect from my browser (Firefox ESR 38.7.0), the connection security information dialog says I got a TLS 1.1 connection.
Is there any way to configure IBM HTTP Server (or Apache for that matter, since IHS is very similar) to default to TLS 1.2 but allow the option of connecting over TLS 1.1 in case a client does not support it?
In Apache...
You can remove the protocols you do not want to support.
You can create Ciphers based on your preference and set the system to follow it/negotiate in that order.
Here's a good SSL Cipher generator that always up to date with the latest Ciphers. From Mozilla.
IBM uses it's own mod_ibm_ssl, which is not 100% compatible with apache and openssl. So you need to add SSLCipherSpec in specific order.
Check slide 30 of this slide deck: https://www.slideshare.net/mobile/ChristophStoettner/sutol16-ibm-connections-deployment-best-practices?qid=954c5951-3d33-41ca-862c-33db5174feaf&v=&b=&from_search=1