tls: remove 1.0 and 1.1 from client defaults (#8755)

Signed-off-by: Derek Argueta <dereka@pinterest.com> Mirrored from https://github.com/envoyproxy/envoy @ d9fc7f7a2d5c2098e191adb2502c8e04917abdd1
5 years ago · 5a7624b313
parent 51ebfc50b9
commit 5a7624b313
2 changed files with 4 additions and 2 deletions
--- a/envoy/api/v2/auth/cert.proto
+++ b/envoy/api/v2/auth/cert.proto
@ -35,7 +35,8 @@ message TlsParameters {
    TLSv1_3 = 4;
  }

-  // Minimum TLS protocol version. By default, it's ``TLSv1_0``.
+  // Minimum TLS protocol version. By default, it's ``TLSv1_2`` for clients and ``TLSv1_0`` for
+  // servers.
  TlsProtocol tls_minimum_protocol_version = 1 [(validate.rules).enum = {defined_only: true}];

  // Maximum TLS protocol version. By default, it's ``TLSv1_3`` for servers in non-FIPS builds, and
--- a/envoy/api/v3alpha/auth/cert.proto
+++ b/envoy/api/v3alpha/auth/cert.proto
@ -35,7 +35,8 @@ message TlsParameters {
    TLSv1_3 = 4;
  }

-  // Minimum TLS protocol version. By default, it's ``TLSv1_0``.
+  // Minimum TLS protocol version. By default, it's ``TLSv1_2`` for clients and ``TLSv1_0`` for
+  // servers.
  TlsProtocol tls_minimum_protocol_version = 1 [(validate.rules).enum = {defined_only: true}];

  // Maximum TLS protocol version. By default, it's ``TLSv1_3`` for servers in non-FIPS builds, and