From 2f44a59c7fdb9e5767bd2d03bb5a2772fb5a8783 Mon Sep 17 00:00:00 2001 From: William Lallemand Date: Fri, 29 May 2020 08:54:33 +0200 Subject: [PATCH] MEDIUM: ssl: use TLSv1.2 as the minimum default on bind lines Since HAProxy 1.8, the TLS default minimum version was set to TLSv1.0 to avoid using the deprecated SSLv3.0. Since then, the standard changed and the recommended TLS version is now TLSv1.2. This patch changes the minimum default version to TLSv1.2 on bind lines. If you need to use prior TLS version, this is still possible by using the ssl-min-ver keyword. --- src/ssl_sock.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/ssl_sock.c b/src/ssl_sock.c index 9d6b8b118..b52f2ec6a 100644 --- a/src/ssl_sock.c +++ b/src/ssl_sock.c @@ -3663,9 +3663,9 @@ ssl_sock_initial_ctx(struct bind_conf *bind_conf) min = conf_ssl_methods->min; max = conf_ssl_methods->max; - /* start with TLSv10 to remove SSLv3 per default */ - if (!min && (!max || max >= CONF_TLSV10)) - min = CONF_TLSV10; + /* start with TLSv12 to remove SSLv3,TLSv10,TLSv11 per default */ + if (!min && (!max || max >= CONF_TLSV12)) + min = CONF_TLSV12; /* Real min and max should be determinate with configuration and openssl's capabilities */ if (min) flags |= (methodVersions[min].flag - 1);