maxmoehl
commented
4 months ago Could you please explain your change? I don't see how this changes anything related to TLSv1.3.
Closed kinjelom closed 4 months ago
maxmoehl
commented
4 months ago Could you please explain your change? I don't see how this changes anything related to TLSv1.3.
domdom82
commented
4 months ago sslv3 is not TLSv1.3. More like TLSv1.0
kinjelom
commented
4 months ago I'm sorry, my mistake - TLS v1.3 probably doesn't work due to the OpenSSL version in the stemcell.
maxmoehl
commented
4 months ago It does work, but it is disabled by default. In our internal backlog we have a item to deprecate the individual no-* options in favour of exposing ssl-min-ver and ssl-max-ver. We are currently using the raw blocks to set those but this should really be a feature of the release.
ssl-max-ver The default value is "TLSv1.2".
So if you are interested, feel free to contribute a PR :)
PS: I have it on my list to look into your other PR, but I have a lot on the table right now :/
kinjelom
commented
4 months ago ssl-min/max-ver
@maxmoehl done: https://github.com/cloudfoundry/haproxy-boshrelease/pull/657
Now, there is no way to enable TLS v1.3, let's enable TLS v1.3.