Home>
I want to disable anything other than TLS1.2

When performing encrypted communication from a proxy server to an external site
To disable protocols other than TLS1.2
It was set to limit the encryption protocol to TLS1.2 only.
From the IncludeOptional directive in httpd.conf,
Confirming reading into the conf.d directory.

Problem

Communication with TLS1 and TLS1.1 is possible even if -all + TLSv1.2 is described in SSLProtocol of ssl.conf.
You can communicate with all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1.

Since SSL3 couldn't communicate, I'm expecting it to reflect the default.
I wondered if Virtualhost wasn't loaded,
The log was taken to the specified location.
The result was the same even if it described in httpd.conf.

Server information

Apache/2.4.6 (Red Hat Enterprise Linux)
OpenSSL 1.0.2k-fips
Two external sites communicating

httpd.conf contents

Some information is deleted or written as "quote".

ServerRoot "/ etc/httpd"
Listen 8080
Include conf.modules.d/*. Conf
User
Group
ServerAdmin
ServerName 192.168.xxx.xxx
<Directory />
    AllowOverride none
    Require all denied
</Directory>
DocumentRoot "/ var/www/html"
<Directory "/ var/www">
    AllowOverride
    Require
</Directory>
<Directory "/ var/www/html">
    Options
    Require
</Directory>
<IfModule dir_module>
    DirectoryIndex
</IfModule>
<Files "">
    Require
</Files>
ErrorLog "/"
LogLevel notice
<IfModule log_config_module>
    LogFormat
    LogFormat
    LogFormat
    <IfModule logio_module>
      LogFormat
    </IfModule>
CookieTracking on
CookieExpires ""
LogFormat
    CustomLog /
</IfModule>
<IfModule alias_module>
</IfModule>
<IfModule mime_module>
</IfModule>
AddDefaultCharset off
<IfModule mime_magic_module>
    MIMEMagicFile
</IfModule>
EnableSendfile on
IncludeOptional conf.d/*. Conf
SSLProxyEngine on
<Location/Bxxxxxxxxxxxx>
LoadModule headers_module modules/mod_headers.so
RequestHeader append Authorization "Basic AAAAAAAAAAAAAA"
Header edit Set-Cookie QQQQQQQQQQQQQQ
</Location>
TraceEnable off
Header always append X-Frame-Options DENY
Header always set X-Content-Type-Options nosniff
ServerTokens ProductOnly
KeepAlive On
MaxKeepAliveRequests 0
KeepAliveTimeout 10
Contents of ssl.conf

Some information is deleted or written as "quote".

SSLCryptoDevice builtin
<VirtualHost _default_: 443>
ServerName xxx.xxx.xxx.xxx #IP address of proxy server
ErrorLog
TransferLog
LogLevel notice
SSLEngine on
SSLProtocol -all + TLSv1.2
SSLCipherSuite HIGH: 3DES:! ANULL:! MD5:! SEED:! IDEA
SSLCertificateFile /
SSLCertificateKeyFile /
<Files ~ "\">
    SSLOptions
</Files>
<Directory "/">
    SSLOptions
</Directory>
BrowserMatch "" \
CustomLog
</VirtualHost>
Supplement

How to setup
vim ./ssl.conf
apachectl configtest
systemctl restart httpd
systemctl status httpd
openssl s_client -connect www.yyyyyyyy.co.jp:443 -tls1
The above 5 commands are executed.

I would like to know how the settings will be effective and if there are any strange points.