Remove TLS 1.0 and 1.1 from the defaults on the server-side

[PiotrSikora]

This is the intent to remove TLS 1.0 and 1.1 from the default TLS protocols on the server-side.

This change will affect your deployment if it's using default minimum TLS protocol version (i.e. not configuring tls_minimum_protocol_version) and it's accepting incoming TLS 1.0 or 1.1 connections:

$ curl -s localhost:9901/stats | grep -E "^listener.*.ssl.versions.TLSv(1|1.1):"
listener.<address>.ssl.versions.TLSv1: 1
listener.<address>.ssl.versions.TLSv1.1: 1

(This works only with Envoy v1.9.0 and newer)

ETA: 1.13 (i.e. early 2020)

[derekguo001]

/assign derekguo001

[repokitteh-read-only]

derekguo001 is not allowed to assign users.

🐱

Caused by: a #5398 (comment) was created by @derekguo001.

see: more, trace.

[ggreenway]

Fixed in #19330