Dropping support for old versions of SSL and TLS in HAProxy and Gorouter

Shannon Coen

When TLS is enabled on Gorouter (router.enable_ssl: true; false by
default), it will currently accept connections using SSLv3, TLSv1.0,
TLSv1.1, or TLSv1.2.

The HAProxy in cf-release always has TLS enabled and will accept
connections using TLSv1.0, TLSv1.1, or TLSv1.2.

For security reasons, we would like to drop support in these components for
all versions except TLSv1.2. Please let me know if you have a compelling
use case for maintaining support for older versions using a manifest
property. I recognize this could be an issue if apps on your deployments of
CF must continue supporting clients that do not use TLSv1.2.

Thank you,

Shannon Coen
Product Manager, Cloud Foundry
Pivotal, Inc.

Join {cf-dev@lists.cloudfoundry.org to automatically receive all group messages.