OpenSSL showing "70010000:error:0A0000BF:SSL routines:tls_setup_handshake:no protocols available:ssl\statem\statem_lib.c:104:" when testing for TLS1.0

Question

I have been trying to resolve a Vulnerability picked up by Qualys:

QID: 38628 Vulnerability: Secure Sockets Layer/Transport Layer Security (SSL/TLS) Server supports Transport Layer Security (TLSv1.0)

I have done the below that is found all over the net to remove the support, but it is still stating it is supported:

Under these folders:

• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1

Set these entries to what is noted

• DisabledByDefault = 1
• Enabled = 0

Under this folder:

• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\Diffie-Hellman

Set these entries to what is noted

• ClientMinKeyBitLength = 1024
• ClientMaxKeyBitLength = 2048
• ServerMinKeyBitLength = 2048

Under this folder:

• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\PKCS

Set these entries to what is noted

• ClientMinKeyBitLength = 1024
• ClientMaxKeyBitLength = 2048

Under this folder:

• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Cryptography\Configuration\Local\SSL\00010002

Completed the below:

• Functions - Removed all DES Triple DES entries

I also disabled TLS1.0 and TLS1.1 in Internet Options under the Advanced tab

I have resorted to checking each active port individually. Some are obvious that they don't accept TLS1.0, but others I get this when running 'openssl s_client -connect ip:port -tls1':

CONNECTED(00000178) 70010000:error:0A0000BF:SSL routines:tls_setup_handshake:no protocols available:ssl\statem\statem_lib.c:104:

no peer certificate available

No client certificate CA names sent

SSL handshake has read 0 bytes and written 7 bytes Verification: OK

New, (NONE), Cipher is (NONE)

This TLS version forbids renegotiation.

Compression: NONE

Expansion: NONE

No ALPN negotiated

Early data was not sent

Verify return code: 0 (ok)

I believe that this means TLS 1.0 is not supported on that port, but I just wanted to be absolutely sure that this is what this means.

As a gift, please find a powershell script I used to check each active port on my server. Maybe someone can use it:

#You will need to install OpenSSL 
#Open CMD on server you are checking and execute: netstat -aon > c:\list.txt
#Collect list.txt and extract all the ports from the Local Address list using Notepad++ or your fave text editor
#Put the extracted port list into excel, go to Data tab > Data Tools > Remove Duplicates. Sort if desired
#Copy the new list from Excel into a new txt file and call it Portlist.txt. Put it in the location shown in $path variable
#Have at it

$path="C:\path\to\file\PortList.txt" #update this
$openssl="C:\Program Files\OpenSSL-Win64\bin\openssl.exe"
$Result="C:\path\to\file\Result.txt" #update this

function portcheck($port){
    
    add-content -path $Result -value `n

    add-content -path $Result -value "Testing port number $port" 

    add-content -path $Result -value `n

    & "$openssl" s_client -connect Server_IP_address:$port -tls1 2>&1 | add-content $Result #change Server_IP_Address to the IP of your server EG: 127.0.0.1.

    add-content -path $Result -value "================================================================================"
}

$data = get-content $path

foreach($row in $data){

    portcheck $row

    }