TLS1.1 disable in Fleet Server

Thorsten_82 · June 11, 2024, 11:48am

Hello,

I want do disable TLS1.1 support in Elastic Agent (Fleet Server).
In Custom fleet-server configurations I tried to set the "ssl.supported_protocols: [TLSv1.2]" but with no effect.
With "elastic-agent inspect" I see the setting I have made.

- data_stream:
    namespace: default
  id: fleet-server-fleet_server-e3679c00-3110-11ee-89dc-61113427e2ab
  meta:
    package:
      name: fleet_server
      version: 1.3.1
  name: fleet_server-1
  package_policy_id: e3679c00-3110-11ee-89dc-61113427e2ab
  revision: 5
  ssl:
    supported_protocols:
    - TLSv1.3
  type: fleet-server
  unused_key: not_used
  use_output: default

But with openssl s_client I am still able to connect with TLS1.1.

SSL handshake has read 2887 bytes and written 262 bytes
Verification: OK
---
New, TLSv1.0, Cipher is ECDHE-RSA-AES128-SHA
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.1
    Cipher    : ECDHE-RSA-AES128-SHA
    Session-ID: 81D4516E1C3E2AD777764D779D9C106A19A66ECB6BFF47904F554314658EA221
    Session-ID-ctx:

Can anyone help me?

Thanks!

leandrojmp · June 11, 2024, 2:27pm

You need to use server.ssl.supported_protocols.

I have this on mine:

server.ssl.supported_protocols: ["TLSv1.2", "TLSv1.3"]
server.ssl.cipher_suites: [ "ECDHE-RSA-AES-128-GCM-SHA256", "ECDHE-RSA-AES-256-GCM-SHA384", "ECDHE-RSA-AES-128-CBC-SHA", "ECDHE-RSA-AES-256-CBC-SHA", "RSA-AES-128-GCM-SHA256", "RSA-AES-256-GCM-SHA384", "RSA-AES-128-CBC-SHA", "RSA-AES-256-CBC-SHA" ]

Thorsten_82 · June 12, 2024, 6:30am

Hey,

thanks a lot. That solved my issue!