https://github.com/osquery/osquery logo
#fleet
Title
a

Adam

01/20/2021, 1:39 PM
Hey guys, using Fleet 3.5.1 and testing with the `openssl`command
s_client -tls1 -connect foo.bar:443
shows successful negotiation with TLS 1.0 (also 1.1 seems to work). Is there any way to force Fleet to only accept TLS 1.2 or TLS1.3 connections from agents?
z

zwass

01/20/2021, 3:30 PM
That is not intended. It's configurable via https://github.com/fleetdm/fleet/blob/master/docs/2-Deployment/2-Configuration.md#server_tls_compatibility but neither of those options should allow 1.0 and 1.1. I'll have a look at this.
I'm not able to reproduce this. I get error 70 (protocol not supported) when I try with TLS 1.0 or 1.1. Is this a misconfiguration in your load balancer or something else terminating TLS?
I do notice that Mozilla's tls compatibility page has been updated since we set this, so I will go ahead and update to the new recommendations. If you are setting
intermediate
as the profile value that does currently allow 1.0 and 1.1.
💪 1
a

Adam

01/20/2021, 4:09 PM
yep, seems were are running as
intermediate
so I’ll take that back for an internal discussion. Thanks for the response!
z

zwass

01/20/2021, 4:20 PM
I just pushed https://github.com/fleetdm/fleet/pull/212 so it will be udpated in 3.7.0 either way.
a

Adam

01/20/2021, 4:31 PM
👍
3 Views