Here is what is set in my httpd.conf
SSLProtocolDisable SSLv2 SSLv3 TLSv10 TLSv11
SSLProtocolEnable TLSv12
SSLCipherSpec ALL NONE
SSLCipherSpec TLSv12 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
SSLCipherSpec TLSv12 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
But your test says that TLS 1.1 is enabled. Any explanation ? thanks
thanks for the reply
Does it make any difference if we are using Akamai or another CDN?
Could be depends on what they are doing. Most of them I would suspect are going to be fine with supporting TLS 1.0 for sometime to maximize traffic. Also they may accept it and then upgrade the connection similar to how an F5 or other load balance may take an incoming connection that is say SSLv3 and then change it to TLS 1.2 on the back end.
Usually they are used when the backend does not support the higher protocols then we frontend upgrade so any client trying to connect only will see TLS 1.2 and has no idea on the backside what is happening.
You may try to do a scan bypassing the CDN if possible.
David
If you are using a CDN, like Akamai, then they will typically "terminate SSL" for you. This means they handle the SSL/TLS connection for requests to your domain. It is now their SSL/TLS configuration (for your domain) that is being tested. Changes to protocols or ciphers in your server configuration will not change the results. If you want TLS 1.1 disabled, then you will need to work with your CDN vendor. For example, AWS Cloudfront offers different TLS configurations with various combinations of protocols and ciphers.
Mr. Clement,
What you may be seeing is that TLS 1.0 could be getting used during the client hello part of your packets. Need to do a capture to be sure.
Typically I would recommend you disable ALL protocols then enable only the ones you want like you did for the CipherSpec.
I did this in Apache.
David