On Wed, May 27, 2020 at 12:42 PM William Lallemand <wlallem...@haproxy.com> wrote: > So in my opinion we should do the same, and set the minimum version to > TLSv12 by default on bind lines. It's still configurable with > min-ssl-ver if you want the support for prior TLS versions. > Does anybody have any objections?
Even though I'm late in the reply, I think it is a good decision. Modern browsers are going to disable it at some point; on our side we disabled tls1.0. and 1.1 completely last year. The traffic coming from browsers with this version was very low (around 1% IIRC, no more than 2%), and we also realised a big part of it was in fact fraudulent traffic coming from bots, so the final decision was not hard. -- William