Thanks for getting in touch. The Octopus <-> Tentacle communication defaults to port 10933 that can be changed or your tool can be made to accept that as a known acceptable configured port.
We have some great details here, about the secure communication between Octopus and Tentacles: https://octopus.com/docs/administration/security/octopus-tentacle-communication
The SSL certificate has a large expiry to make it easier for customers to use. You can change that to make the scanning tool happy, or you can put in an exception.
We have details here if you would like to go down the path of taking ownership of the certificates and related configuration, which would allow you to then control the certificate expiry duration, you will then be responsible for rotating them: https://octopus.com/docs/administration/security/octopus-tentacle-communication/how-to-use-custom-certificates-with-octopus-server-and-tentacle
The other issues, you have listed don’t make sense to us, could you do some digging on your end and get more familiar with the scanning tool as to how it got some of those results and why.
There isn’t a session cookie for the Tentacles if your scanner hits it over HTTP/HTTPS it will reach a test page, there’s no concept or need for a cookie for those test pages. So we’re not sure why it would be reporting that.
The last 2 items lack enough detail, this is where we need your help if you’d like a resolution about what the tool has done to reach those outcomes:
- HTTP Security Header Not Detected Active
- TLS Protocol Session Renegotiation Security Vulnerability