Apache: Allow TLS 1.0 for one host while forcing all others to use 1.2?

There are 2 ways to solve your problem, depending on how exactly behaves your client, or depending on your preferences (native Apache with Allow directive, or Rewrite based)

You need to know if the client supports SNI or not (a capture of the handshake would answer to this question). Most of clients support it, even for TLS 1.0, but as it is a legacy system, maybe it doesn't.

If SNI isn't supported, you can declare two Virtual Hosts, the idea is to send all legacy requests to the first VH (with TLS 1.0 support), and the 2nd VH will answer to others. The IP checking is done by an Allow directive :

NameVirtualHost *:443
SSLStrictSNIVHostCheck off

# For the legacy
<VirtualHost *:443>
  DocumentRoot /var/www/html
  ServerName unknown

  SSLProtocol TLSv1
  <Directory "/var/www/html">
    Order Deny,Allow
    Deny from all
    Allow from 192.168.1.50 # your legacy ip
  </Directory>
</VirtualHost>

# For all others
<VirtualHost *:443>
  DocumentRoot /var/www/html
  ServerName my.domain.com

  SSLProtocol TLSv1.2
  <Directory "/var/www/html">
    Order Deny,Allow
    Allow from all
  </Directory>
</VirtualHost>

If SNI is allowed we can solve the problem with RewriteCond. I believe it takes more CPU, because using RewriteEngine, but the solution 1 could be replaced by this one too. You need Rewrite and Remoteip modules enabled.

NameVirtualHost *:443
SSLStrictSNIVHostCheck on

# For all others
<VirtualHost *:443>
  DocumentRoot /var/www/html
  ServerName my.domain.com

  SSLProtocol TLSv1 TLSv1.2

  RewriteEngine On
  RewriteCond %{SSL:SSL_PROTOCOL} ^TLSv1$
  RewriteCond %{REMOTE_ADDR} !"192.168.1.50" #your legacy ip
  RewriteRule .* "-" [F]

  <Directory "/var/www/html">
    Order Deny,Allow
    Allow from all
  </Directory>
</VirtualHost>

Let us know the result.