Comment 5 for bug 1856428

3.69 would be fine. We just rebased for ESV, so we won't be picking up a rhel version of nss anytime soon.

We now set those defaults by policy anyway, so we probably only need backports for rhel-7.x (which we already have because rhel-7 still has ssl3 on by default).

RHEL-8 policy is already tls 1.2 min in our default policy (which actually surprises me, I thought it was tls 1.0). So I'm sure we are tls 1.2 min in fedora, where sha1 is also turned off by policy for signatures and ssl.