Osquery uses basic SQL commands to leverage a relational data-model to describe a device.

osquery

Hey guys, using Fleet 3.5.1 and testing with the `openssl`command `s_client -tls1 -connect foo.bar:443` shows successful negotiation with TLS 1.0 (also 1.1 seems to work).

Is there any way to force Fleet to only accept TLS 1.2 or TLS1.3 connections from agents?

That is not intended. It's configurable via <https://github.com/fleetdm/fleet/blob/master/docs/2-Deployment/2-Configuration.md#server_tls_compatibility> but neither of those options should allow 1.0 and 1.1. I'll have a look at this.

I'm not able to reproduce this. I get error 70 (protocol not supported) when I try with TLS 1.0 or 1.1. Is this a misconfiguration in your load balancer or something else terminating TLS?

I do notice that Mozilla's tls compatibility page has been updated since we set this, so I will go ahead and update to the new recommendations. If you are setting `intermediate` as the profile value that does currently allow 1.0 and 1.1.

yep, seems were are running as `intermediate` so I’ll take that back for an internal discussion. Thanks for the response!

I just pushed <https://github.com/fleetdm/fleet/pull/212> so it will be udpated in 3.7.0 either way.