【已解答】【紧急求助】禁用TLS 1.0/1.1协议后仍被安全扫描...

面板、插件版本：

宝塔版本：9.5.0

系统版本：

操作系统： ubuntu 24.4
nginx：1.26.3
openssl： 3.0.13

问题描述：

1.当前配置：

Nginx配置文件中已明确设置：ssl_protocols TLSv1.2 TLSv1.3;

已确认配置文件已生效

2.矛盾现象：

本地测试使用 openssl s_client -connect 仅显示TLS 1.2支持

第三方安全扫描工具（及部分远程服务器）仍检测到TLS 1.0/1.1支持

3.已排除项：

✓ 确认nginx.conf配置在正确作用域（http/server块）

✓ 已执行 nginx -t 验证配置语法

✓ 已执行 systemctl reload nginx 和完整重启

✓ 检查无重复的ssl_protocols声明

✓ 无中间代理层

✓ 检查nginx -T无其他443配置，面板SSL设置已关闭

相关截图（日志、错误）：

本地检测结果：
root@production:~# openssl s_client -connect defend.hnzthgroup.com:443 -tls1
CONNECTED(00000003)
40477DE83F760000:error:0A0000BF:SSL routines:tls_setup_handshake:no protocols available:../ssl/statem/statem_lib.c:104:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 7 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---


其他服务器检测结果：
[root@localhost ~]# openssl s_client -connect defend.hnzthgroup.com:443 -tls1
CONNECTED(00000003)
depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root G2
verify return:1
depth=1 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = Encryption Everywhere DV TLS CA - G2
verify return:1
depth=0 CN = defend.hnzthgroup.com
verify return:1
00C23BE34B7F0000:error:0A00014D:SSL routines:tls_process_key_exchange:legacy sigalg disallowed or unsupported:ssl/statem/statem_clnt.c:2254:
---
Certificate chain
0 s:CN = defend.hnzthgroup.com
   i:C = US, O = DigiCert Inc, OU = www.digicert.com, CN = Encryption Everywhere DV TLS CA - G2
   aKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Jan  8 00:00:00 2025 GMT; NotAfter: Jan  8 23:59:59 2026 GMT
1 s:C = US, O = DigiCert Inc, OU = www.digicert.com, CN = Encryption Everywhere DV TLS CA - G2
   i:C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root G2
   aKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Nov 27 12:46:40 2017 GMT; NotAfter: Nov 27 12:46:40 2027 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
`````````
-----END CERTIFICATE-----
subject=CN = defend.hnzthgroup.com
issuer=C = US, O = DigiCert Inc, OU = www.digicert.com, CN = Encryption Everywhere DV TLS CA - G2
---
No client certificate CA names sent
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 3139 bytes and written 141 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1
    Cipher    : 0000
    Session-ID:
    Session-ID-ctx:
    Master-Key:
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1743857364
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: yes
---

开启http3需要，浏览器开启http3，并且开启udp的443端口
nginx配置参考：

1. listen 443 quic reuseport;
   
2. listen 443 ssl;
   
3. http3 on;
   
4. http2 on;
   
5. ssl_protocols       TLSv1.3;   # 必需启动TLSv1.3
   
6. 
   
7. 
   
8. location / {
   
9.       # 通过响应头告诉浏览器服务器支持HTTP3，以及HTTP3监听的端口
   
10.       add_header Alt-Svc 'h3=":443"; ma=86400';
    
11.   }

复制代码