+1
- These are old protocols that just need to go away. They can always be turned
back on by the administrator if there is a need for them in a particular
installation. It should be well noted in the CHANGES Log and in the "Upgrading
to 9.0" document for the release that this is a change to the default
configuration from previous version.
On 6/4/19, 6:14 PM, "Leif Hedstrom" <zw...@apache.org> wrote:
Hi all,
in the spirit of
https://tools.ietf.org/html/draft-ietf-tls-oldversions-deprecate-04
I’d like to propose that we change the defaults for our settings, to turn
these two protocols off by default:
proxy.config.ssl.TLSv1=0
proxy.config.ssl.TLSv1_1=0
proxy.config.ssl.client.TLSv1=0
proxy.config.ssl.client.TLSv1_1=0
The code / features will still be there, and can either be turned on
globally, or (better IMO) turned on per SNI in ssl_server_name.yaml / sni.yaml.
Any concerns / objections?
— Leif
