From: William Lallemand <wlallemand@haproxy.com>
Date: Fri, 29 May 2020 06:54:33 +0000 (+0200)
Subject: MEDIUM: ssl: use TLSv1.2 as the minimum default on bind lines
X-Git-Tag: v2.2-dev9~172
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=2f44a59c7fdb9e5767bd2d03bb5a2772fb5a8783;p=thirdparty%2Fhaproxy.git

MEDIUM: ssl: use TLSv1.2 as the minimum default on bind lines

Since HAProxy 1.8, the TLS default minimum version was set to TLSv1.0 to
avoid using the deprecated SSLv3.0. Since then, the standard changed and
the recommended TLS version is now TLSv1.2.

This patch changes the minimum default version to TLSv1.2 on bind lines.
If you need to use prior TLS version, this is still possible by
using the ssl-min-ver keyword.
---

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 9d6b8b1184..b52f2ec6ae 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -3663,9 +3663,9 @@ ssl_sock_initial_ctx(struct bind_conf *bind_conf)
 
 	min = conf_ssl_methods->min;
 	max = conf_ssl_methods->max;
-	/* start with TLSv10 to remove SSLv3 per default */
-	if (!min && (!max || max >= CONF_TLSV10))
-		min = CONF_TLSV10;
+	/* start with TLSv12 to remove SSLv3,TLSv10,TLSv11 per default */
+	if (!min && (!max || max >= CONF_TLSV12))
+		min = CONF_TLSV12;
 	/* Real min and max should be determinate with configuration and openssl's capabilities */
 	if (min)
 		flags |= (methodVersions[min].flag - 1);