https://github.com/osquery/osquery logo
Title
z

zwass

02/03/2021, 6:57 PM
In retrospect maybe I should have moved the default to
intermediate
? Penny for your thoughts... We could change that default for the next Fleet release.
r

Ryan

02/03/2021, 6:59 PM
Good question, Mozilla seems to recommend
intermediate
as the default as it’s a bit more flexible but still pretty secure, so perhaps? I think the problem here is that
modern
in 3.6.0 and
modern
in 3.7.0 don’t seem to be compatible.
Having said that, I’ll double check my Nginx configuration tomorrow, as it should be compatible 🤔 Just to be clear, bypassing Nginx everything else works fine for me, including osquery clients talking to Fleet.
z

zwass

02/03/2021, 7:03 PM
Yeah, on a re-read of the Mozilla docs it's clear that
intermediate
is the recommended default. I think
modern
was a more appropriate default when we first started using their recommendations. If this is biting lots of folks I can cut a 3.7.1 that changes the default, but hopefully setting
intermediate
will sort it out.
b

benbass

02/03/2021, 7:04 PM
Is there a list of ciphers that fleet is using in 3.7 I can pass to my load balancing team?
r

Ryan

02/03/2021, 7:04 PM
Fleet is using the ciphers listed for
modern
by default
b

benbass

02/03/2021, 7:05 PM
It looks like modern is TLS 1.3 only…
r

Ryan

02/03/2021, 7:05 PM
seems the minimum TLS version got raised from 1.2 to 1.3, yeah
b

benbass

02/03/2021, 7:05 PM
I think that is the issue, I don’t think osquery does 1.3.
r

Ryan

02/03/2021, 7:08 PM
I’m using
*osquery* 4.5.1-1.linux
everywhere which does seem to be working with 1.3, but I’ve downgraded to
intermediate
because of Nginx. In my setup the only reason Nginx is there is to avoid end-users needing to go to a different port, however all of our osquery clients talk directly to Fleet.
b

benbass

02/03/2021, 7:09 PM
interesting. I have an F5 load balancer in the mix - I’ll see if they support TLS 1.3.
z

zwass

02/03/2021, 7:09 PM
I'm not sure what version of osquery TLS 1.3 support goes back to but as Ryan said new versions are good.
The new
intermediate
profile has settings at least as good as the former
modern
, so it should be fine to use for compatibility.
r

Ryan

02/03/2021, 7:09 PM
Yeah, i suspect you’ll need to update the configuration of the virtual server in your F5.
b

benbass

02/03/2021, 7:10 PM
I have 4.5.1 on most of the macs, and I am testing 4.6.0 on my box for this bit of troubleshooting.
r

Ryan

02/03/2021, 7:10 PM
Or tell Fleet to use
intermediate
yeah, it’s still very secure.
This is the recommended configuration for the vast majority of services, as it is highly secure and compatible with nearly every client released in the last five (or more) years.
Right, I gotta go, but good luck 👋
b

benbass

02/03/2021, 7:15 PM
TY Ryan!
👍 1