Remove TLS 1.0 as a default SSL protocol

[tvernum]

The default value for ssl.supported_protocols no longer includes TLSv1
as this is an old protocol with known security issues.
Administrators can enable TLSv1.0 support by configuring the
appropriate ssl.supported_protocols setting, for example:

xpack.security.http.ssl.supported_protocols: ["TLSv1.2","TLSv1.1","TLSv1"]

Relates: #36021

[elasticmachine]

Pinging @elastic/es-security

[tvernum]

This is currently WIP because I need to make the same change in #37287 when it is merged.

I will raise a companion PR to deprecate the use of TLS1.0 in 6.x

[jkakavas]

LGTM

Maybe not in the scope of this PR, but do we want to start throwing [WARN] messages when TLS1 or older is used?

[jkakavas]

nit: remove extra space

[tvernum]

do we want to start throwing [WARN] messages when TLS1 or older is used?

For 6.7 we'll issue a deprecation warning if TLS1.0 is used without being explicitly enabled.

I'm not sure we want to issue warnings for things that users intentionally configure. We could but then we probably should warn on verification_mode: none and a bunch of other things.

[jaymode]

LGTM

[gwbrown]

We should also add a WARN level issue to the Deprecations API (#36024) if the default protocols list is in use (i.e. if it is not set explicitly).

This would probably be best to add to 6.x at the same time as the deprecation warnings, but you don't have bandwidth @tvernum I'd be happy to do it.

[tvernum]

@jkakavas @jaymode
I've added (a4cfb24) this to the 7.0 breaking changes doc if you'd like to cast your eye over that.

[tvernum]

@elasticmachine run elasticsearch-ci/2

[tvernum]

@elasticmachine run elasticsearch-ci/2

04:23:41 
04:23:41 > Task :x-pack:plugin:ccr:internalClusterTest FAILED
04:23:41 Tests with failures:
04:23:41   - org.elasticsearch.xpack.ccr.FollowerFailOverIT.testReadRequestsReturnsLatestMappingVersion
04:23:41   - org.elasticsearch.xpack.ccr.FollowerFailOverIT.testAddNewReplicasOnFollower
04:23:41 

I can't reproduce this, and I can't see how it's related (but it has failed twice)

[tvernum]

@elasticmachine run elasticsearch-ci/2

[jaymode]

still LGTM

[tvernum]

11:49:37 FAILURE 11.8s J2 | ReservedRealmIntegTests.testDisablingUser <<< FAILURES!
11:49:37    > Throwable #1: java.lang.AssertionError: Shard [.security-6][0] is still locked after 5 sec waiting
11:49:37    > 	at __randomizedtesting.SeedInfo.seed([D784343A8527B3AC:87758EACCFD15F3A]:0)
11:49:37    > 	at org.elasticsearch.test.InternalTestCluster.assertAfterTest(InternalTestCluster.java:2386)
11:49:37    > 	at org.elasticsearch.test.ESIntegTestCase.afterInternal(ESIntegTestCase.java:594)
11:49:37    > 	at org.elasticsearch.test.ESIntegTestCase.cleanUpCluster(ESIntegTestCase.java:2231)
11:49:37    > 	at java.lang.Thread.run(Thread.java:748)

@elasticmachine run elasticsearch-ci/2