Hi All,
Am using Octopus Tentacle linux on a ubuntu 18.04 , how can one disable TLS 1.0 and 1.1 for same?
Ive tried the following > Surgut: How to disable TLS 1.0 and TLS 1.1 on Ubuntu
But doesnt seem to work 
Thanks
Hi Sandy,
Thank you for contacting Octopus Help - could I please ask what results / logs you are seeing when connecting to the tentacle were you disabled TLS 1 and 1.1?
In the meantime I will speak to our Support team as they may be able to help with ways to test the secure connection to a tentacle anyway.
Regards
Mark
Solutions Architect
Hi Mark,
So in my openssl conf file i added the following
And at the end of the conf file added the below
Restarted the octopus tentacle and tried below command
openssl s_client -tls1 -connect Instance IP:10933
And my thinking is that i should not be able to connect to that using tls1 and tls1.1 and be getting a ssl handshake error or something
From the console am getting below result
From logs i can see that the tentacle is connecting through tls1.2, but from server side i can reach the tentacle using tls1 and tls1.1 thus wanting to have it disable
Thanks
Just jumping in from the Support team here - I did notice the same issues when using the MinProtocol config directive in OpenSSL 1.1.1 (latest for Ubuntu 18.04), I was able to work around it by specifying the protocol suite directly, so instead of:
[system_default_sect]
MinProtocol = TLSv1.2
Use this:
[system_default_sect]
Protocol = -SSLv3, -TLSv1, -TLSv1.1, TLSv1.2
From here, it was locked down to TLSv1.2. Once this is set in your config, you’ll want to restart the Tentacle service, and it should be available via TLSv1.2.
Edit to add: The MinProtocol directive does work in Ubuntu 20.04 (Running OpenSSL 1.1.1f), so it appears that this workaround is only needed for 18.04/OpenSSL 1.1.1.
I hope this helps!
Hi Justin,
Yes the workaround suggested did the trick.
Thank you for the help
Does this configuration work on Red Hat Linux Enterprise Linux 7.9 ?
Good question and for which I haven’t been able to get a confirmed answer. I have tried the options Justin posted earlier for Redhat 7 but neither worked. Both options still allow TLSv1, and 1.1.
I believe this could be a limitation of the openssl version which is quite old on Rhel 7. It might be possible to achieve this using a FIPS installation for Rhel 7 but I can’t vouch that it won’t also break other functionality.
If you have a Redhat support subscription it might be worth asking them for help. I can also ask with our Dev team, but it does appear from the install scripts that we rely on the openssl libs to allow or deny the TLS versions and RHEL 7 is not using a new enough version to allow this feature.
This ServerFault post mentions that this feature is for > openssl 1.1.1. and RHEL 7.9 is shipped with 1.0.2k, so we may be out of luck:
I will mention it to our team anyhow to see if there is another workaround. In them meantime if you find any options to make this work pls do post here and we can also add to our docs.
Kind Regards,
Paraic
1 Like