For OCP 4.16+ TLSv1.1 is documented to be supported [1] for the Ingress Controller, however TLSv1.1 is disabled on RHEL9 on which 4.16+ images are based. Even the LEGACY policy in RHEL9 enforces TLSv1.2 as minimum [2][3] so working around this is not trivial.

Since this the documented procedure [4] for the old profile does not enable TLSv1.1 for ingress, it should be updated. 

[1] https://docs.redhat.com/en/documentation/openshift_container_platform/4.16/html/security_and_compliance/tls-security-profiles#tls-profiles-understanding_tls-security-profiles
[2] https://access.redhat.com/solutions/7099498
[3] https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/9/html/securing_networks/planning-and-implementing-tls_securing-networks#protocols
[4] https://docs.redhat.com/en/documentation/openshift_container_platform/4.16/html/security_and_compliance/tls-security-profiles#tls-profiles-ingress-configuring_tls-security-profiles

4.16

100%    

    1. Enable the old profile for ingress:

$ oc patch -n openshift-ingress-operator IngressController/default --type=merge --patch='{"spec":{"tlsSecurityProfile":{"old":{},"type":"Old"}}}'
ingresscontroller.operator.openshift.io/default patched

     2. Confirm the config is rolled out into haproxy:

$ oc rsh  -n openshift-ingress deploy/router-default grep ssl-default-bind-options /var/lib/haproxy/conf/haproxy.config
  ssl-default-bind-options ssl-min-ver TLSv1.1

      3. Verify a tlsv1.1 connection to an ingress route:

$ curl --tlsv1.1 --tls-max 1.1 -k https://$(oc get route -n openshift-ingress-canary -ojsonpath='{.status.ingress[0].host}' canary):443
curl: (35) OpenSSL/3.1.1: error:0A0000BF:SSL routines::no protocols available
   

tlsv1.2 as a minimum