This will give you the major protocol version that is being used, but, so far as I know, you can’t get more detailed than that, e.g. what exact version (as in, build-number) of the stack the client-side is using.

Possibly-useful links:

• Test for SSL version   (What version is your Apache server running)
• mod_ssl documentation   (Specifically, the SSLCipherSuite directive, which specifies what ciphers are acceptable.   Also SSLHonorCipherOrder, SSLProtocol.)

Pragmatically, it might be better to cause Apache to refuse to honor any insecure protocol that you do not wish to use, than to check the version that made it through the negotiation process, within your application.   Just don’t allow not-secure-enough negotiations to succeed.

What Rhandom pointed out is why we need to collect the information. Manny thanks to hippo, sundialsrv4 for pointing out the documents, but I still don't quite understand this.

Correct me if my question is silly. The protocol version ( SSL/TLS version) I want to collect is the ones from this clients, not from my Apache server. Is the var $ENV{SSL_PROTOCOL} my server's SSL version or the client's SSL version? My understanding is that the variable SSL_PROTOCOL is my apache server's configuration variable, not from the cilent.

Apache relies on OpenSSL to do security handshakes, so Apache does not care the client's version of SSL/TLS? and could not log it?

The protocol has to be the same on both ends otherwise the handshake fails. The protocol given by the environment variable SSL_PROTOCOL as mentioned in my post is the protocol of the particular connection, negotiated between the client and the server, and not a function of either in isolation.

By all means try it and see.