How to disable TLS 1.1 in Insights?
Issue Description: Disabling TLS 1.1 in Insights. This article only applies to standalone and is not an issue in Automation Suite or Cloud deployments.
Background: As of writing this, this resolution applies to the following versions and below: 22.4.12, 22.10.9, 23.4.6 and 23.10.3.
Check release notes to see when the fix was implemented for newer versions.
Resolution:
- Check if the version of insights has the necessary config file to make the update.
-
sudo docker exec looker-container ls /app/config/nginx.conf.template && echo "Yes" || echo "No"
- If the command returns Yes, it means the file that we need to update exists. If the file does not exist, upgrade Insights to a newer version.
-
- If 'No' was returned by the command in the previous step upgrade to the latest version that matches the latest release of Orchestrator (i.e. If Orchestrator is 22.4.X, make sure to upgrade insights to the latest 22.4.X release for Insights.) In the past there was strict version requirements, but this is no longer the case. Insights is compatible with Orchestrator as long as the major versions match.
- This has no downtime for Orchestrator.
- See: https://docs.uipath.com/insights/standalone/2023.10/user-guide/insights-upgrading
- Once Insights has been upgraded, or if the command in step one returned 'Yes' then run the following commands:
-
sudo docker exec -it looker-container sed -i 's/TLSv1.1 //g' /app/config/nginx.conf.template sudo docker restart looker-container
- After the above command is executed, check if TLSv1.1 is still available (you may want to wait 1-2 minutes for looker to fully come up).
-
openssl s_client -connect 127.0.0.1:9999 -tls1_1
- This is what it looks like if its disabled:
-
openssl s_client -connect 127.0.0.1:9999 -tls1_1 CONNECTED(00000003) 140293803673408:error:1409442E:SSL routines:ssl3_read_bytes:tlsv1 alert protocol version:ssl/record/rec_layer_s3.c:1543:SSL alert number 70 --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 7 bytes and written 104 bytes Verification: OK --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.1 Cipher : 0000 Session-ID: Session-ID-ctx: Master-Key: PSK identity: None PSK identity hint: None SRP username: None Start Time: 1715109608 Timeout : 7200 (sec) Verify return code: 0 (ok) Extended master secret: no ---
-
- This is what it looks like if its still enabled (this is a snippet and just a sample):
-
CONNECTED(00000003) Can't use SSL_get_servername depth=0 CN = looker.local verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 CN = looker.local verify error:num=21:unable to verify the first certificate verify return:1 --- Certificate chain 0 s:CN = looker.local i:CN = looker.local --- Server certificate -----BEGIN CERTIFICATE----- MIIDIzCCAgugAwIBAgIQaqpfV3ZBoJxNdp0R7qmQQDANBgkqhkiG9w0BAQUFADAX MRUwEwYDVQQDDAxsb29rZXIubG9jYWwwIBcNMjIwNjA0MjI1MjA2WhgPMjA3MjA2 MDQyMjUyMDZaMBcxFTATBgNVBAMMDGxvb2tlci5sb2NhbDCCASIwDQYJKoZIhvcN AQEBBQADggEPADCCAQoCggEBAMDIncyCwl69sZ2zGkvYnxMxFnu9v30/CFGUl2hD c3RD+ewczpmt5ZBsbZW4+/qqlWYaRKdM7x1EyFO4sK1EgXruXLpqeDGNVHTAEmWb Bg6l41wOdm+q2SR2Wb1x8hHJ9DZ3eHFoCW0UN76zku0FYh0e+KyJjSRVbqwrpAZn tsu9tERGETQSyPwdMVlfbOsWE1yw4SIgDfHZFa0VNPUWYyyNrwEdpRHWSFmumC7l y3Sk8oh1wMK/D9Yxm3qViTKwZDEoPtt/YG8bJiJ13thrwGtTmrsJiOZN5qrVsM14 ZVWS20ZnR+9/5btQVn24zksc51f2YCc3jJx3CMY44SxKWsUCAwEAAaNpMGcwDgYD VR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDATAXBgNV HREEEDAOggxsb29rZXIubG9jYWwwHQYDVR0OBBYEFFiIAFjGDQprBeweCYs0IJoC ybMMMA0GCSqGSIb3DQEBBQUAA4IBAQBXoc9/jbvFvv9z/hqb2v7239CZrQo1TLzn bd8dNaAxV5WlQmG+YeoMD+IEMYqtefuQ//zM/bOW7HE+LMuVicParJ8ulNB/4BGC HlvrmD0rlAmwFc5mqVD9/D1HIgr8HD/GA2qwFWE3obT5aOFpBFY7moDQ4G3ITs6x xK+f1Y4hEEwDIE3HKuAiQrmAescCpfPF/PHVZ8LhWuzf8sp2kdGOkssUXHgEt2hw JwUxWHITzfQINbotQebZtT5XAHro6o2RWHNr4JPXAQO2d/mXM7D0vVElxRvbn3bQ I4b4Du9NqY5fSFIwihtJSBUxogE6utRN8zd7DIBGEcilsn78E5Sa -----END CERTIFICATE----- subject=CN = looker.local
-
-
-