> On Jun 4, 2019, at 18:15, Masaori Koshiba <masa...@apache.org> wrote:
>
> +1
>
> OpenSSL support TLSv1.2 from v1.0.1, and our minimum requirements of it is
> v1.0.2. from v9.0.0. There're no problems.
Well the thing to watch out for is if you have clients which don’t support v1.2
or later :).
I’ll make a PR for this momentarily.
Cheers,
— Leif
>
> - Masaori
>
>> On Wed, Jun 5, 2019 at 8:19 AM Patrick O'Brien
>> <patrickobr...@tetrisblocks.net> wrote:
>> +1
>>
>>
>>> On Tue, Jun 4, 2019 at 4:02 PM Sudheer Vinukonda
>>> <sudheervinuko...@yahoo.com> wrote:
>>> +1
>>>
>>> We may need to also review the default settings for
>>> {{proxy.config.ssl.server.cipher_suite}} to make sure it's up-to-date and
>>> consistent with turning off TLSv1.1 and TLSv1.0?
>>>
>>> Thanks,
>>>
>>> Sudheer
>>>
>>> On Tuesday, June 4, 2019, 3:14:09 PM PDT, Leif Hedstrom <zw...@apache.org>
>>> wrote:
>>>
>>>
>>> Hi all,
>>>
>>> in the spirit of
>>>
>>> https://tools.ietf.org/html/draft-ietf-tls-oldversions-deprecate-04
>>>
>>>
>>> I’d like to propose that we change the defaults for our settings, to turn
>>> these two protocols off by default:
>>>
>>> proxy.config.ssl.TLSv1=0
>>> proxy.config.ssl.TLSv1_1=0
>>> proxy.config.ssl.client.TLSv1=0
>>> proxy.config.ssl.client.TLSv1_1=0
>>>
>>>
>>> The code / features will still be there, and can either be turned on
>>> globally, or (better IMO) turned on per SNI in ssl_server_name.yaml /
>>> sni.yaml.
>>>
>>> Any concerns / objections?
>>>
>>> — Leif
