Set the default TLS protocols that Pode uses to just TLS1.3

[Badgerati]

DO NOT ACTION

This is simply a ticket to have this on the radar, and should not be actioned just yet. Doing so will very likely break people's integrations, and browser support.

Currently the default TLS protocols that Pode has enabled are SSL3 and TLS1.2 (or just TLS1.2 on MacOS).

SSL3 definitely, but TLS1.2 is now being deprecated in favour of TLS1.3. It should be investigated at some point to set the default protocol for Pode to just TLS1.3 - but keep the others available should people require them.

[mdaneri]

@Badgerati we should change the default to TLS1.3 only. Dropping SSL3 and TLS1.2 as default in 2.11

[Badgerati]

Since we don't know when 2.11 will be released, we need to be careful as this could break many people's integrations immediately because they really can only use TLS1.2.

I am planning on doing a 2.10.1 for dropping PS7.3 support next month, so we could output a warning message from Add-PodeEndpoint for people using the default -SslProtocol, and inform people ahead of time to either explicitly set -SslProtocol Tls12 or prep for TLS1.3. At the same time as releasing, also inform people in the release notes; on X; Discord; etc.

This way we can give people a couple months notice before we change the default to TLS1.3. If 2.11 is released within that period, we bump to 2.12.

Or, see if there's a way to check if TLS1.3 is supported/enabled via PowerShell on any OS. If it is, then use TLS1.3 as the default then - though we still need to warn people. I just checked to see if there is a way of doing this, but couldn't find anything outside of Windows.

[mdaneri]

In theory, ssl3 and tls1.2 should always be available but have to be explicitly set. I understand your concern, but usually, for anything security-related, there is very little compassion for any side effect caused by the fix. Anyway, 7.2 and beyond are using the default is set at the OS level, so typically ssl3 shouldn't be available