as a person running pretty large load balancer installation, I confirm there are a lot of usages of TLS10. for example, depending on .net version, default setting might be TLS1.0 if you run .net 4.5
the ability to turn TLS1.0 without recompile is the must thing to have. I'm even not sure about benefits of disabling TLS1.0, yes it lack PFS support, but it is still not vulnerable to any attack and widely used (beleive me). I agree there are special cases like PCI DSS 3.2, but it is not the default :) ср, 27 мая 2020 г. в 15:43, William Lallemand <wlallem...@haproxy.com>: > Hello List, > > Since HAProxy 1.8, the minimum default TLS version for bind lines is > TLSv10. I was thinking to increase this minimum default to TLSv11 before > the 2.2 release. But when we discussed the other day about the DH > param set to 2048 by default, I read that RHEL 8 was also disabling > TLSv11 by default. TLSv12 now exists for 12 years, it is widely-spread > nowadays. > > So in my opinion we should do the same, and set the minimum version to > TLSv12 by default on bind lines. It's still configurable with > min-ssl-ver if you want the support for prior TLS versions. > > Does anybody have any objections? > > -- > William Lallemand > >
