Since 3.1 version with SECLEVEL > 0 the TLS-1.0/1.1 and DTLS-1.0 protocol versions are explicitly disabled by the default security check function. I've tested it and it works as expected. I.e., client running with SECLEVEL >= 1 will trigger this message on the server that runs with SECLEVEL=0 and -max_protocol TLSv1.1:
As the default security level was 1 on 3.1 and is 2 since 3.2 IMO this makes these old TLS versions sufficiently deprecated. If we wanted to further deprecate them, we could make no-tls1, no-tls1_1, no-dtls1 default build options. However I think this is 4.0 release material.
Since 3.1 version with
SECLEVEL > 0the TLS-1.0/1.1 and DTLS-1.0 protocol versions are explicitly disabled by the default security check function. I've tested it and it works as expected. I.e., client running with SECLEVEL >= 1 will trigger this message on the server that runs withSECLEVEL=0and-max_protocol TLSv1.1:40C7F607597F0000:error:0A000102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../openssl31/ssl/statem/statem_srvr.c:1657:
As the default security level was 1 on 3.1 and is 2 since 3.2 IMO this makes these old TLS versions sufficiently deprecated. If we wanted to further deprecate them, we could make no-tls1, no-tls1_1, no-dtls1 default build options. However I think this is 4.0 release material.