William, Am 27.05.20 um 12:40 schrieb William Lallemand: > Hello List, > > Since HAProxy 1.8, the minimum default TLS version for bind lines is > TLSv10. I was thinking to increase this minimum default to TLSv11 before > the 2.2 release. But when we discussed the other day about the DH > param set to 2048 by default, I read that RHEL 8 was also disabling > TLSv11 by default. TLSv12 now exists for 12 years, it is widely-spread > nowadays. > > So in my opinion we should do the same, and set the minimum version to > TLSv12 by default on bind lines. It's still configurable with > min-ssl-ver if you want the support for prior TLS versions. > > Does anybody have any objections? >
As a data point: The OpenSSL shipped with Debian Buster does not support anything below TLS 1.2 by default [1]. The same is true starting with Ubuntu 20.04 LTS. Best regards Tim Düsterhus [1] https://www.debian.org/releases/stable/amd64/release-notes/ch-information.en.html#openssl-defaults
