Unable to disable TLSv1.0 and TLSv1.1 on nginx
After many iterations and experimentation what I found was that somehow the cipher list I'd specified appears to relate to this problem. Once I got this list right TLSv1 and TLSv1.1 are in fact correctly disabled (again according to the Qualsys SSL Labs Test and we do once again show an A+ grade for our sites. Here are the settings that got us there:
ssl_protocols TLSv1.2;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
One resource I found during this experimentation that seems worth keeping around is the Mozilla SSL Configuration Generator. This allowed me to confirm the sanity of my server configuration and get a larger list of supported secure ciphers.
--
Nowhere else that I ran into mentioned this - so maybe it was something about a slightly older version of nginx I was using? Whatever the case - I hope this helps someone save a bunch of time.