diff --git a/inventory/group_vars/all/ssl.yml b/inventory/group_vars/all/ssl.yml
index 9ff527b12f..f214ce76e9 100644
--- a/inventory/group_vars/all/ssl.yml
+++ b/inventory/group_vars/all/ssl.yml
@@ -16,6 +16,6 @@
 ## SSL
 # These do not need to be configured unless you're creating certificates for
 # services running behind Apache (currently, Horizon and Keystone).
-ssl_protocol: "ALL -SSLv2 -SSLv3"
+ssl_protocol: "ALL -SSLv2 -SSLv3 -TLSv1.0 -TLSv1.1"
 # Cipher suite string from https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
 ssl_cipher_suite: "ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS"
diff --git a/releasenotes/notes/tls12-only-08825fd013f0a244.yaml b/releasenotes/notes/tls12-only-08825fd013f0a244.yaml
new file mode 100644
index 0000000000..170b8a7d76
--- /dev/null
+++ b/releasenotes/notes/tls12-only-08825fd013f0a244.yaml
@@ -0,0 +1,6 @@
+---
+security:
+  - |
+    The default TLS version has been set to TLS1.2.  This only allows
+    version 1.2 of the protocol to be used when terminating or creating TLS
+    connections.  You can change the value with the ssl_protocol variable.