[SECURITY] Remove OTLP HTTP support for TLS 1.0 and TLS 1.1, require TLS 1.2 or better

[marcalff]

Per the following RFC: https://www.ietf.org/rfc/rfc8996.html

TLS 1.0 MUST NOT be used. Negotiation of TLS 1.0 from any version of TLS MUST NOT be permitted.

TLS 1.1 MUST NOT be used. Negotiation of TLS 1.1 from any version of TLS MUST NOT be permitted.

In the OTLP HTTP exporter,

• Remove min_TLS and max_TLS options support for TLS 1.0 and TLS 1.1.
• Require TLS 1.2 or better

[marcalff]

Note that this issue proposes to go strait to removal of TLS 1.0 and 1.1, without announcing deprecation in opentelemetry-cpp.

Per: https://en.wikipedia.org/wiki/Transport_Layer_Security#History_and_development TLS 1.0 and TLS 1.1 have been deprecated since 2021, in https://www.ietf.org/rfc/rfc8996.html

The RFC 8996 serves as a deprecation notice, and everybody should be well aware by now.

In practice, this should not be an issue.

A system that in theory:

• supports the OTLP HTTP protocol, published in https://github.com/open-telemetry/opentelemetry-proto/releases/tag/v1.0.0 on Jul 3, 2023
• supports TLS 1.0 or 1.1
• but somehow does not support TLS 1.2, in use since 2008

will be very hard to find.

Any endpoint that supports OTLP HTTP and supports SSL is expected to support TLS 1.2 already, hence the hard and abrupt removal of TLS 1.0 and TLS 1.1, for security reasons.