Closed SineSwiper closed 6 years ago
"TLSv1.0 is insecure and broken" - TLS 1.0 is still supported by all major web browsers since it is actually in use by several web servers. Apart from that POODLE is SSL 3.0 - except for some broken TLS stacks (not OpenSSL). And I don't consider BEAST a problem in the use cases IO::Socket::SSL is used commonly.
"Using it will break PCI DSS in June 2018." - PCI DSS is a requirement for specific use cases only. You are free to restrict your client to TLS 1.2 only if it is required in your environment.
In other words: at the moment I don't see the urgent need to disable TLS 1.0. And while it would be nice to do it there are still too much systems out there which don't support TLS 1.2 so disabling TLS 1.0 would break too much.
Per the POD:
Keeping the "secure" defaults would allow TLSv1.0. TLSv1.0 is insecure and broken. POODLE and BEAST exploits already exist for it. Using it will break PCI DSS in June 2018.
Let's just change default SSL_version to
SSLv23:!SSLv2:!SSLv3:!TLSv1
.