I'm going to close out this bug based on input from Daniel Berrange from the patch review:
"IMHO hardcoding a specific TLS version is pretty undesirable. There is active work to enable TLS 1.3 in all crypto libraries in the very near future, so we really want choice of version to be configurable, to avoid having to make potentially bogus assumptions about which specific versions are desired.
In Fedora there is a systemwide crypto policy which controls what versions of TLS openssl uses in all apps. IIUC, the original code should honour that global policy, so if the admin turned off TLS 1.0 / 1.1 in global policy Nova would already be doing the right thing. By explicitly setting a version here, it overrides the system global defaults. IOW if those defaults requested 1.3, this proposed change will in fact cause a regression."
I'm going to close out this bug based on input from Daniel Berrange from the patch review:
"IMHO hardcoding a specific TLS version is pretty undesirable. There is active work to enable TLS 1.3 in all crypto libraries in the very near future, so we really want choice of version to be configurable, to avoid having to make potentially bogus assumptions about which specific versions are desired.
In Fedora there is a systemwide crypto policy which controls what versions of TLS openssl uses in all apps. IIUC, the original code should honour that global policy, so if the admin turned off TLS 1.0 / 1.1 in global policy Nova would already be doing the right thing. By explicitly setting a version here, it overrides the system global defaults. IOW if those defaults requested 1.3, this proposed change will in fact cause a regression."