IO::Socket::SSL supports TLSv1.0

[SineSwiper]

Per the POD:

IO::Socket::SSL tries to set these values to reasonable, secure values which are compatible with the rest of the world. But, there are some scripts or modules out there which tried to be smart and get more secure or compatible settings. Unfortunately, they did this years ago and never updated these values, so they are still forced to do only 'TLSv1' (instead of also using TLSv12 or TLSv11). Or they set 'HIGH' as the cipher list and thought they were secure, but did not notice that 'HIGH' includes anonymous ciphers, e.g. without identification of the peer.

So it is recommended to leave the settings at the secure defaults which IO::Socket::SSL sets and which get updated from time to time to better fit the real world.

Keeping the "secure" defaults would allow TLSv1.0. TLSv1.0 is insecure and broken. POODLE and BEAST exploits already exist for it. Using it will break PCI DSS in June 2018.

Let's just change default SSL_version to SSLv23:!SSLv2:!SSLv3:!TLSv1.

[noxxi]

"TLSv1.0 is insecure and broken" - TLS 1.0 is still supported by all major web browsers since it is actually in use by several web servers. Apart from that POODLE is SSL 3.0 - except for some broken TLS stacks (not OpenSSL). And I don't consider BEAST a problem in the use cases IO::Socket::SSL is used commonly.

"Using it will break PCI DSS in June 2018." - PCI DSS is a requirement for specific use cases only. You are free to restrict your client to TLS 1.2 only if it is required in your environment.

In other words: at the moment I don't see the urgent need to disable TLS 1.0. And while it would be nice to do it there are still too much systems out there which don't support TLS 1.2 so disabling TLS 1.0 would break too much.