Apache won't disable TLSv1 no matter what I do

Question

On SSL Labs, I'm getting that TLS 1.0 is enabled on my server. I tried many configurations to disable this, like

SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1

and

SSLProtocol +TLSv1.2 +TLSv1.3

But no matter what I do, it always says that it's enabled on SSL labs. There are other questions that discussed this, like this one, but it doesn't help. I greped the whole Apache directory, and I'm sure this is the only instance of SSLProtocol enabled.

One thing to mention that SSL Labs mentions the following when I point my mouse on TLS 1.0 state:

TLS 1.0 support observed only with client that does not support Server Name Indication.

Is there something else I should do to disable TLS 1.0?

EDIT:

I'm now using: SSLProtocol TLSv1.2 +TLSv1.3 -TLSv1 -TLSv1.1 but that doesn't work either. I still see TLS 1.0 in SSL Labs.

Answer 1

I just had a long battle with this. My server is running Centos 7 and I got a bunch of sites that have Let's Encrypt SSLs. I found two instances of SSLProtocol in the /etc/httpd directory (which will be /etc/apache2 on other servers):

[root@server httpd]# find ./ -type f -exec grep -i sslprotocol {} +
./conf.d/ssl.conf:SSLProtocol all -SSLv2 -SSLv3
./conf.d/ssl.conf:SSLProtocol All -SSLv2 -SSLv3

I changed those to SSLProtocol TLSv1.2 as per this answer and restarted the httpd service, but SSL Labs still showed that TLS 1.0 and 1.1 were enabled.

After a bit of digging I found that another configuration file is included in the **-le-ssl.conf* files in the /etc/httpd/sites-available directory: /etc/letsencrypt/options-ssl-apache.conf. I only needed to change SSLProtocol all -SSLv2 -SSLv3 to SSLProtocol TLSv1.2 in that file (and restart httpd). All the certificates now have an A+ rating.