MEDIUM: ssl: use TLSv1.2 as the minimum default on bind lines Since HAProxy 1.8, the TLS default minimum version was set to TLSv1.0 to avoid using the deprecated SSLv3.0. Since then, the standard changed and the recommended TLS version is now TLSv1.2. This patch changes the minimum default version to TLSv1.2 on bind lines. If you need to use prior TLS version, this is still possible by using the ssl-min-ver keyword.

commit: 2f44a59c7fdb9e5767bd2d03bb5a2772fb5a8783 [log] [tgz]
author: William Lallemand <wlallemand@haproxy.com> Fri May 29 08:54:33 2020 +0200
committer: William Lallemand <wlallemand@haproxy.org> Fri May 29 09:05:45 2020 +0200
tree: 6c4aa7e29140ea42ac9639a8bff893809f368d77
parent: 56192cc60b786f2c82925411d8b2ccd7d9f97d84 [diff]
diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 9d6b8b1..b52f2ec 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c

@@ -3663,9 +3663,9 @@
 
 	min = conf_ssl_methods->min;
 	max = conf_ssl_methods->max;
-	/* start with TLSv10 to remove SSLv3 per default */
-	if (!min && (!max || max >= CONF_TLSV10))
-		min = CONF_TLSV10;
+	/* start with TLSv12 to remove SSLv3,TLSv10,TLSv11 per default */
+	if (!min && (!max || max >= CONF_TLSV12))
+		min = CONF_TLSV12;
 	/* Real min and max should be determinate with configuration and openssl's capabilities */
 	if (min)
 		flags |= (methodVersions[min].flag - 1);
commit	2f44a59c7fdb9e5767bd2d03bb5a2772fb5a8783	[log] [tgz]
author	William Lallemand <wlallemand@haproxy.com>	Fri May 29 08:54:33 2020 +0200
committer	William Lallemand <wlallemand@haproxy.org>	Fri May 29 09:05:45 2020 +0200
tree	6c4aa7e29140ea42ac9639a8bff893809f368d77
parent	56192cc60b786f2c82925411d8b2ccd7d9f97d84 [diff]