I am setting up web servers for best practice TLS.

The issue is TLS 1.0 which is deprecated

I want to remove it from the available protocols and have done the usual

##
# SSL Settings
##

ssl_protocols TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
ssl_prefer_server_ciphers on;

However the absence of TLSv1 in the list doesn't stop the server offering it.
I have checked carefully for prior syntax errors in the configuration and there are none.

The configuration is set in the main nginx.conf file and used by one or more enabled sites attached to specific IP addresses. The enabled sites do not change the ssl_protocols.

My environment:

nginx version: nginx/1.10.3
built with OpenSSL 1.1.0f 25 May 2017
TLS SNI support enabled
configure arguments: --with-cc-opt='-g -O2 -fdebug-prefix-map=/build/nginx-tLEWFX/nginx-1.10.3=. -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2' --with-ld-opt='-Wl,-z,relro -Wl,-z,now' --prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid --modules-path=/usr/lib/nginx/modules --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-debug --with-pcre-jit --with-ipv6 --with-http_ssl_module --with-http_stub_status_module --with-http_realip_module --with-http_auth_request_module --with-http_v2_module --with-http_dav_module --with-http_slice_module --with-threads --with-http_addition_module --with-http_geoip_module=dynamic --with-http_gunzip_module --with-http_gzip_static_module --with-http_image_filter_module=dynamic --with-http_sub_module --with-http_xslt_module=dynamic --with-stream=dynamic --with-stream_ssl_module --with-mail=dynamic --with-mail_ssl_module --add-dynamic-module=/build/nginx-tLEWFX/nginx-1.10.3/debian/modules/nginx-auth-pam --add-dynamic-module=/build/nginx-tLEWFX/nginx-1.10.3/debian/modules/nginx-dav-ext-module --add-dynamic-module=/build/nginx-tLEWFX/nginx-1.10.3/debian/modules/nginx-echo --add-dynamic-module=/build/nginx-tLEWFX/nginx-1.10.3/debian/modules/nginx-upstream-fair --add-dynamic-module=/build/nginx-tLEWFX/nginx-1.10.3/debian/modules/ngx_http_substitutions_filter_module

My config file - part

http {

##
# Basic Settings
##


sendfile on;
tcp_nopush on;
tcp_nodelay on;

# keepalive_timeout 65;

types_hash_max_size 2048;
server_tokens off;

server_names_hash_bucket_size 64;

# server_name_in_redirect off;

include /etc/nginx/mime.types;
default_type application/octet-stream;

error_log /var/log/nginx/error.log info;

##
# SSL Settings
##

ssl_protocols TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
ssl_prefer_server_ciphers on;

# enable session resumption to improve https performance
# http://vincent.bernat.im/en/blog/2011-ssl-session-reuse-rfc5077.html

ssl_session_cache shared:SSL:10m;
ssl_session_timeout 5m;

# Stapling

ssl_stapling on;
ssl_stapling_verify on;

# ssl ecdh curve

ssl_ecdh_curve secp384r1;

# DH Parameters

ssl_dhparam /etc/ssl/dhparams.pem;

# Header security

add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;

....

}