+1
On Tue, Jun 4, 2019 at 4:02 PM Sudheer Vinukonda <sudheervinuko...@yahoo.com>
wrote:
> +1
>
> We may need to also review the default settings for
> {{proxy.config.ssl.server.cipher_suite}} to make sure it's up-to-date and
> consistent with turning off TLSv1.1 and TLSv1.0?
>
> Thanks,
>
> Sudheer
>
> On Tuesday, June 4, 2019, 3:14:09 PM PDT, Leif Hedstrom <zw...@apache.org>
> wrote:
>
>
> Hi all,
>
> in the spirit of
>
> https://tools.ietf.org/html/draft-ietf-tls-oldversions-deprecate-04
>
>
> I’d like to propose that we change the defaults for our settings, to turn
> these two protocols off by default:
>
> proxy.config.ssl.TLSv1=0
> proxy.config.ssl.TLSv1_1=0
> proxy.config.ssl.client.TLSv1=0
> proxy.config.ssl.client.TLSv1_1=0
>
>
> The code / features will still be there, and can either be turned on
> globally, or (better IMO) turned on per SNI in ssl_server_name.yaml /
> sni.yaml.
>
> Any concerns / objections?
>
> — Leif
>
