Remove TLS 1.0 and 1.1 from the defaults on the client-side #5395

PiotrSikora · 2018-12-22T01:36:54Z

This is the intent to remove TLS 1.0 and 1.1 from the default TLS protocols on the client-side.

This change will affect your deployment if it's using default minimum TLS protocol version (i.e. not configuring tls_minimum_protocol_version) and it's making outgoing TLS 1.0 or 1.1 connections:

$ curl -s localhost:9901/stats | grep -E "^cluster.*.ssl.versions.TLSv(1|1.1):"
cluster.<service>.ssl.versions.TLSv1: 1
cluster.<service>.ssl.versions.TLSv1.1: 1

(This works only with Envoy v1.9.0 and newer)

ETA: 1.10 (i.e. ~now)

The text was updated successfully, but these errors were encountered:

PiotrSikora mentioned this issue Dec 22, 2018

Modernize TLS defaults #5401

Open

11 tasks

mattklein123 added area/tls no stalebot Disables stalebot from closing an issue labels Dec 24, 2018

PiotrSikora changed the title ~~Deprecate TLS 1.0 and 1.1 on the client-side~~ Remove TLS 1.0 and 1.1 from the defaults on the client-side Jan 3, 2019

derekargueta mentioned this issue Oct 24, 2019

tls: remove 1.0 and 1.1 from client defaults #8755

Merged

mattklein123 closed this as completed in #8755 Nov 5, 2019

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Remove TLS 1.0 and 1.1 from the defaults on the client-side #5395

Remove TLS 1.0 and 1.1 from the defaults on the client-side #5395

PiotrSikora commented Dec 22, 2018

Remove TLS 1.0 and 1.1 from the defaults on the client-side #5395

Remove TLS 1.0 and 1.1 from the defaults on the client-side #5395

Comments

PiotrSikora commented Dec 22, 2018