diff --git a/defaults/main.yml b/defaults/main.yml
index c067cb0..6509297 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -147,7 +147,7 @@ gnocchi_ssl: false
 gnocchi_ssl_cert: /etc/ssl/certs/gnocchi.pem
 gnocchi_ssl_key: /etc/ssl/private/gnocchi.key
 gnocchi_ssl_ca_cert: /etc/ssl/certs/gnocchi-ca.pem
-gnocchi_ssl_protocol: "{{ ssl_protocol | default('ALL -SSLv2 -SSLv3') }}"
+gnocchi_ssl_protocol: "{{ ssl_protocol | default('ALL -SSLv2 -SSLv3 -TLSv1.0 -TLSv1.1') }}"
 gnocchi_ssl_cipher_suite: "{{ ssl_cipher_suite | default('ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS') }}"
 
 # if using a self-signed certificate, set this to true to regenerate it
diff --git a/releasenotes/notes/tls12-only-9b74e96cfd47a634.yaml b/releasenotes/notes/tls12-only-9b74e96cfd47a634.yaml
new file mode 100644
index 0000000..02f40db
--- /dev/null
+++ b/releasenotes/notes/tls12-only-9b74e96cfd47a634.yaml
@@ -0,0 +1,7 @@
+---
+security:
+  - |
+    The default TLS version has been set to TLS1.2.  This only allows
+    version 1.2 of the protocol to be used when terminating or creating TLS
+    connections.  You can change the value with the gnocchi_ssl_protocol
+    variable.