Disable TLS 1.0 and 1.1 connections

[nervuri]

Lagrange supports TLS 1.0 and 1.1, at least on my machine (I compiled Lagrange on Debian 12).

Looking at the spec, I'm surprised to see that it's not explicit about disallowing TLS versions prior to 1.2. Solderpunk's version says:

Servers MUST use TLS version 1.2 or higher and SHOULD use TLS version 1.3 or higher. TLS 1.2 is reluctantly permitted for now to avoid drastically reducing the range of available implementation libraries. Hopefully TLS 1.3 or higher can be specced in the near future. Clients who wish to be "ahead of the curve MAY refuse to connect to servers using TLS version 1.2 or lower.

While Sean Conner's version says:

Servers and clients MUST support TLS 1.2 or higher.

and

TLS 1.2 is the minimum required version.

Neither spec says that clients MUST NOT support TLS versions older than 1.2, but I think that was always the intention.

[skyjake]

I agree it would be wise to set the minimum protocol version at TLS 1.2 on client-side as it would dissuade servers from using off-spec versions of TLS.

[skyjake]

Checking tlsprivacy.nervuri.net with Lagrange v1.17.1, I get this:

      {
        "code": 43,
        "name": "supported_versions",
        "data": {
          "raw": "0403040303",
          "supported_tls_versions": [
            {
              "code": 772,
              "hex_code": "0304",
              "name": "TLS 1.3"
            },
            {
              "code": 771,
              "hex_code": "0303",
              "name": "TLS 1.2"
            }
          ]
        }
      },

Which would mean the issue has been resolved, I believe.