Ilya, Am 27.05.20 um 13:33 schrieb Илья Шипицин: >> As a data point: >> >> The OpenSSL shipped with Debian Buster does not support anything below >> TLS 1.2 by default [1]. The same is true starting with Ubuntu 20.04 LTS. >> > > > I know several real-world cases when people had to build their own openssl > on Debian Buster in order get TLS1.0 back >
Sure. But admins that are capable enough to compile their own OpenSSL will be capable enough to add the following to their HAProxy configuration: ssl-default-bind-options ssl-min-ver TLSv1.0 However in the general case you won't get far as a client in today's Internet without supporting TLS 1.2. For my machines I dropped support for anything < 1.2 on port 443 more than 2 years ago. Best regards Tim Düsterhus
