In cflinuxfs4 (based on Ubuntu Jammy), TLS versions below v1.2 are disabled in OpenSSL’s SECLEVEL=2. For apps have to connect to external endpoint which is at TLS under v1.2 (for example the peer side TLS version can not be upgraded in short while for special reasons), TLS handshake will not succeed. 

This is highly NOT recommended, only in the case peer side TLS can not be upgraded to TLS v1.2 or above. A workaround can be applied in container which is created based on cflinuxfs4. Steps as below: 

1. copy /etc/ssl/openssl.cnf from a cflinuxfs4 container
2. update CipherString = DEFAULT:@SECLEVEL=2 to 0 or 1
3. put it under the app root or other directory
4. create environment variable OPENSSL_CONF with value to the file path, such as /home/vcap/app/openssl.cnf
5. push the app

The details of SECLEVEL can be found at 
https://www.openssl.org/docs/man3.0/man3/SSL_CTX_set_security_level.html

• level 0 is insecure and should not be used any more.
• level 1 is weak,  it corresponds to a minimum of 80 bits of security.