In retrospect maybe I should have moved the default to

intermediate

? Penny for your thoughts... We could change that default for the next Fleet release.

Good question, Mozilla seems to recommend

intermediate

as the default as it’s a bit more flexible but still pretty secure, so perhaps? I think the problem here is that

modern

in 3.6.0 and

modern

in 3.7.0 don’t seem to be compatible.

Yeah, on a re-read of the Mozilla docs it's clear that

intermediate

is the recommended default. I think

modern

was a more appropriate default when we first started using their recommendations. If this is biting lots of folks I can cut a 3.7.1 that changes the default, but hopefully setting

intermediate

will sort it out.

Is there a list of ciphers that fleet is using in 3.7 I can pass to my load balancing team?

https://wiki.mozilla.org/Security/Server_Side_TLS <- that should be in

It looks like modern is TLS 1.3 only…

seems the minimum TLS version got raised from 1.2 to 1.3, yeah

I think that is the issue, I don’t think osquery does 1.3.

I’m using

*osquery* 4.5.1-1.linux

everywhere which does seem to be working with 1.3, but I’ve downgraded to

intermediate

because of Nginx. In my setup the only reason Nginx is there is to avoid end-users needing to go to a different port, however all of our osquery clients talk directly to Fleet.

interesting. I have an F5 load balancer in the mix - I’ll see if they support TLS 1.3.

I'm not sure what version of osquery TLS 1.3 support goes back to but as Ryan said new versions are good.

Yeah, i suspect you’ll need to update the configuration of the virtual server in your F5.

I have 4.5.1 on most of the macs, and I am testing 4.6.0 on my box for this bit of troubleshooting.

Or tell Fleet to use

intermediate

yeah, it’s still very secure.

TY Ryan!