docs: add note for tls protocol versions below tlsv1_2 (#23297)

Adds a note that the ``cipher_suites`` setting needs to be manually set if using ``tls_minimum_protocol_version`` below ``TLSv1_2``. Signed-off-by: gsalisbury <gsalisbury@apnic.net> Mirrored from https://github.com/envoyproxy/envoy @ 538c0bb9bc0dc960677269512560d60c564b5f26
2 years ago · 8dfc730258
parent 1a0ddd3ba7
commit 8dfc730258
1 changed files with 7 additions and 0 deletions
--- a/envoy/extensions/transport_sockets/tls/v3/common.proto
+++ b/envoy/extensions/transport_sockets/tls/v3/common.proto
@ -45,6 +45,13 @@ message TlsParameters {
  }

  // Minimum TLS protocol version. By default, it's ``TLSv1_2`` for both clients and servers.
+  //
+  // TLS protocol versions below TLSv1_2 require setting compatible ciphers with the
+  // ``cipher_suites`` setting as the default ciphers no longer include compatible ciphers.
+  //
+  // .. attention::
+  //
+  //   Using TLS protocol versions below TLSv1_2 has serious security considerations and risks.
  TlsProtocol tls_minimum_protocol_version = 1 [(validate.rules).enum = {defined_only: true}];

  // Maximum TLS protocol version. By default, it's ``TLSv1_2`` for clients and ``TLSv1_3`` for