ср, 27 мая 2020 г. в 16:09, Tim Düsterhus <t...@bastelstu.be>:
> William, > > Am 27.05.20 um 12:40 schrieb William Lallemand: > > Hello List, > > > > Since HAProxy 1.8, the minimum default TLS version for bind lines is > > TLSv10. I was thinking to increase this minimum default to TLSv11 before > > the 2.2 release. But when we discussed the other day about the DH > > param set to 2048 by default, I read that RHEL 8 was also disabling > > TLSv11 by default. TLSv12 now exists for 12 years, it is widely-spread > > nowadays. > > > > So in my opinion we should do the same, and set the minimum version to > > TLSv12 by default on bind lines. It's still configurable with > > min-ssl-ver if you want the support for prior TLS versions. > > > > Does anybody have any objections? > > > > As a data point: > > The OpenSSL shipped with Debian Buster does not support anything below > TLS 1.2 by default [1]. The same is true starting with Ubuntu 20.04 LTS. > I know several real-world cases when people had to build their own openssl on Debian Buster in order get TLS1.0 back > > Best regards > Tim Düsterhus > > [1] > > https://www.debian.org/releases/stable/amd64/release-notes/ch-information.en.html#openssl-defaults > >