3.69 would be fine. We just rebased for ESV, so we won't be picking up a rhel version of nss anytime soon.
We now set those defaults by policy anyway, so we probably only need backports for rhel-7.x (which we already have because rhel-7 still has ssl3 on by default).
RHEL-8 policy is already tls 1.2 min in our default policy (which actually surprises me, I thought it was tls 1.0). So I'm sure we are tls 1.2 min in fedora, where sha1 is also turned off by policy for signatures and ssl.
3.69 would be fine. We just rebased for ESV, so we won't be picking up a rhel version of nss anytime soon.
We now set those defaults by policy anyway, so we probably only need backports for rhel-7.x (which we already have because rhel-7 still has ssl3 on by default).
RHEL-8 policy is already tls 1.2 min in our default policy (which actually surprises me, I thought it was tls 1.0). So I'm sure we are tls 1.2 min in fedora, where sha1 is also turned off by policy for signatures and ssl.