Hacker News new | past | comments | ask | show | jobs | submit login

As other wrote, this might cause problems when TLS 1.3 contains a major vulnerability TLS 1.4 fixes.

In my opinion, the `ssl_protocols` config should accept a string like "TLSv1.2+ -TLSv1.3", basically stating a minimum version, allowing exclusions and including anything newer. In the same spirit, one should be able to do "TLSv1.0-TLSv1.2" for setting a maximum, with specific exclusions if a new TLS version ever becomes a problem.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact