Title
#fleet
a

Adam

01/20/2021, 1:39 PM
Hey guys, using Fleet 3.5.1 and testing with the opensslcommand
s_client -tls1 -connect foo.bar:443
shows successful negotiation with TLS 1.0 (also 1.1 seems to work). Is there any way to force Fleet to only accept TLS 1.2 or TLS1.3 connections from agents?
zwass

zwass

01/20/2021, 3:30 PM
That is not intended. It's configurable via https://github.com/fleetdm/fleet/blob/master/docs/2-Deployment/2-Configuration.md#server_tls_compatibility but neither of those options should allow 1.0 and 1.1. I'll have a look at this.
3:39 PM
I'm not able to reproduce this. I get error 70 (protocol not supported) when I try with TLS 1.0 or 1.1. Is this a misconfiguration in your load balancer or something else terminating TLS?
3:49 PM
I do notice that Mozilla's tls compatibility page has been updated since we set this, so I will go ahead and update to the new recommendations. If you are setting
intermediate
as the profile value that does currently allow 1.0 and 1.1.
a

Adam

01/20/2021, 4:09 PM
yep, seems were are running as
intermediate
so I’ll take that back for an internal discussion. Thanks for the response!
zwass

zwass

01/20/2021, 4:20 PM
I just pushed https://github.com/fleetdm/fleet/pull/212 so it will be udpated in 3.7.0 either way.
a

Adam

01/20/2021, 4:31 PM
👍