Need to disable insecure SSL cyphers/TLS 1.1 on Elastic Agent

On a recent vulnerability scan we had findings for the Elastic Agent Fleet Server for having TLS 1.1 enabled along with insecure ciphers on port 8220. I have a client asking that we fix this... I added the below to elastic-agent.yml and in the advanced fleet server config on the agent policy but I get no change in TLS/Ciphers used. I used the KB article but it is still not working. I tried to enable TLS 1.0 just to see if it was reading the file and that changed nothing. If I add some random garbage to the file then Elastic Agent won't open which tells me it is the right config file. Any thoughts?

Configure SSL/TLS for standalone Elastic Agents | Fleet and Elastic Agent Guide [8.12] | Elastic

Added to elastic-agent.yml
ssl:
enabled: true
cipher_suites:
- ECDHE-ECDSA-AES-128-GCM-SHA256
- ECDHE-RSA-AES-128-GCM-SHA256
- ECDHE-ECDSA-AES-256-GCM-SHA384
- ECDHE-RSA-AES-256-GCM-SHA384
supported_protocols:
- TLSv1.2
- TLSv1.3

Hi @salemone

It looks like the indentation is wrong, here is the correct version:

ssl:
  enabled: true
  cipher_suites:
    - ECDHE-ECDSA-AES-128-GCM-SHA256
    - ECDHE-RSA-AES-128-GCM-SHA256
    - ECDHE-ECDSA-AES-256-GCM-SHA384
    - ECDHE-RSA-AES-256-GCM-SHA384
  supported_protocols:
    - TLSv1.2
    - TLSv1.3

If I add some random garbage to the file then Elastic Agent won't open which tells me it is the right config file.

If you add some garbage in a way that makes the YAML file invalid, yes, the Elastic-Agent will fail to start. However if it is still a valid YAML but with unknown keys, then the Elastic-Agent will just ignore those unknown keys. That seems to be the case with your example.

I think mine did not copy and paste correctly to here because I didn't put it in the correct format. I copied your response and it did not change anything.

On Reddit I found that adding the following to the Fleet Server config in Fleets in Kibana fixed it.

server.ssl.supported_protocols: ["TLSv1.2", "TLSv1.3"]

1 Like