**Updates**

Does Qualys use "nmap --script ssl-cert,ssl-enum-ciphers -p 443,465,993,995 <target>" to obtain a list of cipher suites on the target server? The output from this command for cipher suites are different than the output from openssl command. Notice the discrepancies?

...

| ssl-enum-ciphers:

| TLSv1.1

| Ciphers (19)

| TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA

| TLS_DHE_RSA_WITH_AES_128_CBC_SHA

| TLS_DHE_RSA_WITH_AES_256_CBC_SHA

| TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA

| TLS_RSA_WITH_RC4_128_SHA

| TLS_RSA_WITH_SEED_CBC_SHA

| Compressors (1)

| uncompressed

| TLSv1.2

| Ciphers (31)

| TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA

| TLS_DHE_RSA_WITH_AES_128_CBC_SHA

| TLS_DHE_RSA_WITH_AES_128_CBC_SHA256

| TLS_DHE_RSA_WITH_AES_128_GCM_SHA256

| TLS_DHE_RSA_WITH_AES_256_CBC_SHA

| TLS_DHE_RSA_WITH_AES_256_CBC_SHA256

| Compressors (1)

|_ uncompressed

...

**Original Question**

Recently I made changes to openssl on the server to support only TLS 1.1 and 1.2 with explicit protocols. The test did recognize that only these 2 protocols are supported. However the cipher suites Qualys displayed is different that that the server reported here.

Here is what the server said it supports.

tls1_1: ECDHE-RSA-AES256-SHA

tls1_1: DHE-RSA-AES256-SHA

tls1_1: DHE-RSA-CAMELLIA256-SHA

tls1_1: AES256-SHA

tls1_1: CAMELLIA256-SHA

tls1_1: ECDHE-RSA-AES128-SHA

tls1_1: DHE-RSA-AES128-SHA

tls1_1: DHE-RSA-CAMELLIA128-SHA

tls1_1: AES128-SHA

tls1_1: CAMELLIA128-SHA

tls1_2: ECDHE-RSA-AES256-GCM-SHA384

tls1_2: ECDHE-RSA-AES256-SHA384

tls1_2: ECDHE-RSA-AES256-SHA

tls1_2: DHE-RSA-AES256-GCM-SHA384

tls1_2: DHE-RSA-AES256-SHA256

tls1_2: DHE-RSA-AES256-SHA

tls1_2: DHE-RSA-CAMELLIA256-SHA

tls1_2: AES256-GCM-SHA384

tls1_2: AES256-SHA256

tls1_2: AES256-SHA

tls1_2: CAMELLIA256-SHA

tls1_2: ECDHE-RSA-AES128-GCM-SHA256

tls1_2: ECDHE-RSA-AES128-SHA256

tls1_2: ECDHE-RSA-AES128-SHA

tls1_2: DHE-RSA-AES128-GCM-SHA256

tls1_2: DHE-RSA-AES128-SHA256

tls1_2: DHE-RSA-AES128-SHA

tls1_2: DHE-RSA-CAMELLIA128-SHA

tls1_2: AES128-GCM-SHA256

tls1_2: AES128-SHA256

tls1_2: AES128-SHA

tls1_2: CAMELLIA128-SHA

Here is what Qualys reported. How is that possible?

<long content truncated>

Thanks. The issue is now resolved. For those who share similar issues here, check your Apache/Httpd virtual host configurations as not to override your base configuration. Inherit from the base and when and is necessary tweak that in each of your virtual host configuration. For ciphers, just inherit from base.