Change default SSL protocol version to >= TLS1.2

RELEASE_NOTES.md

@@ -5,6 +5,7 @@ Release Notes v1.14 (under construction)
 Changes
 -------
 
+- Change SSL default setting to use TLS 1.2 as minimum (set config if you need an earlier version)
 - Add local_uri_raw field (not sanitized URI) to request_info
 - Additional API functions and a callback after closing connections
 - Allow mbedTLS as OpenSSL alternative (basic functionality)

docs/UserManual.md

@@ -640,7 +640,7 @@ OpenSSL documentation for full list of options and additional examples.
 ### ssl\_default\_verify\_paths `yes`
 Loads default trusted certificates locations set at openssl compile time.
 
-### ssl\_protocol\_version `0`
+### ssl\_protocol\_version `4`
 Sets the minimal accepted version of SSL/TLS protocol according to the table:
 
 Protocols | Value
@@ -653,6 +653,7 @@ TLS1.2+TLS1.3 | 4
 TLS1.3 | 5
 
 TLS version 1.3 is only available if you are using an up-to-date TLS libary.
+The default setting has been changed from 0 to 4 in CivetWeb 1.14.
 
 ### ssl\_short\_trust `no`
 Enables the use of short lived certificates. This will allow for the certificates

src/civetweb.c

@@ -2127,14 +2127,9 @@ static const struct mg_option config_options[] = {
     {"ssl_default_verify_paths", MG_CONFIG_TYPE_BOOLEAN, "yes"},
     {"ssl_cipher_list", MG_CONFIG_TYPE_STRING, NULL},
 
-#if defined(USE_HTTP2)
     /* HTTP2 requires ALPN, and anyway TLS1.2 should be considered
      * as a minimum in 2020 */
     {"ssl_protocol_version", MG_CONFIG_TYPE_NUMBER, "4"},
-#else
-    /* Keep the default (compatibility) */
-    {"ssl_protocol_version", MG_CONFIG_TYPE_NUMBER, "0"},
-#endif /* defined(USE_HTTP2) */
 
     {"ssl_short_trust", MG_CONFIG_TYPE_BOOLEAN, "no"},