From 171f8e79ed76113bdfb8fa6d89822647ab31b297 Mon Sep 17 00:00:00 2001
From: Koichiro IWAO <meta@vmeta.jp>
Date: Fri, 14 Sep 2018 00:41:09 +0900
Subject: [PATCH] xrdp: deprecate TLSv1 and TLSv1.1

Most websites disabled TLSv1 (1.0) and TLSv1.1 since March 2018
[1][2][3]. It is HTTPS context but there's few differences between HTTPS
and other TLS connections. Users can whenever re-enable these deprecated
TLS versions by editing xrdp.ini but not enabled by default.

[1] https://www.globalsign.com/en/blog/disable-tls-10-and-all-ssl-versions/
[2] https://www.thesslstore.com/blog/deprecation-tls-1-0-1-1-underway/
[3] https://www.digicert.com/blog/depreciating-tls-1-0-and-1-1/
---
 xrdp/xrdp.ini.in | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/xrdp/xrdp.ini.in b/xrdp/xrdp.ini.in
index 97fc81f9..76da53b5 100644
--- a/xrdp/xrdp.ini.in
+++ b/xrdp/xrdp.ini.in
@@ -29,7 +29,7 @@ certificate=
 key_file=
 ; set SSL protocols
 ; can be comma separated list of 'SSLv3', 'TLSv1', 'TLSv1.1', 'TLSv1.2', 'TLSv1.3'
-ssl_protocols=TLSv1, TLSv1.1, TLSv1.2, TLSv1.3
+ssl_protocols=TLSv1.2, TLSv1.3
 ; set TLS cipher suites
 #tls_ciphers=HIGH