Disable TLS 1.1 in Insights

How to disable TLS 1.1 in Insights?

Issue Description: Disabling TLS 1.1 in Insights. This article only applies to standalone and is not an issue in Automation Suite or Cloud deployments.

Background: As of writing this, this resolution applies to the following versions and below: 22.4.12, 22.10.9, 23.4.6 and 23.10.3.


Check release notes to see when the fix was implemented for newer versions.

Resolution:

  1. Check if the version of insights has the necessary config file to make the update.
    1. sudo docker exec looker-container ls /app/config/nginx.conf.template && echo "Yes" || echo "No"
    2. If the command returns Yes, it means the file that we need to update exists. If the file does not exist, upgrade Insights to a newer version.
  2. If 'No' was returned by the command in the previous step upgrade to the latest version that matches the latest release of Orchestrator (i.e. If Orchestrator is 22.4.X, make sure to upgrade insights to the latest 22.4.X release for Insights.) In the past there was strict version requirements, but this is no longer the case. Insights is compatible with Orchestrator as long as the major versions match.
    1. This has no downtime for Orchestrator.
    2. See: https://docs.uipath.com/insights/standalone/2023.10/user-guide/insights-upgrading
  3. Once Insights has been upgraded, or if the command in step one returned 'Yes' then run the following commands:
    1. sudo docker exec -it looker-container sed -i 's/TLSv1.1 //g' /app/config/nginx.conf.template
      sudo docker restart looker-container
      
    2. After the above command is executed, check if TLSv1.1 is still available (you may want to wait 1-2 minutes for looker to fully come up).
      1. openssl s_client -connect 127.0.0.1:9999 -tls1_1
      2. This is what it looks like if its disabled:
        1. openssl s_client -connect 127.0.0.1:9999 -tls1_1
          CONNECTED(00000003)
          140293803673408:error:1409442E:SSL routines:ssl3_read_bytes:tlsv1 alert protocol version:ssl/record/rec_layer_s3.c:1543:SSL alert number 70
          ---
          no peer certificate available
          ---
          No client certificate CA names sent
          ---
          SSL handshake has read 7 bytes and written 104 bytes
          Verification: OK
          ---
          New, (NONE), Cipher is (NONE)
          Secure Renegotiation IS NOT supported
          Compression: NONE
          Expansion: NONE
          No ALPN negotiated
          SSL-Session:
              Protocol  : TLSv1.1
              Cipher    : 0000
              Session-ID:
              Session-ID-ctx:
              Master-Key:
              PSK identity: None
              PSK identity hint: None
              SRP username: None
              Start Time: 1715109608
              Timeout   : 7200 (sec)
              Verify return code: 0 (ok)
              Extended master secret: no
          ---
      3. This is what it looks like if its still enabled (this is a snippet and just a sample):
        1. CONNECTED(00000003)
          Can't use SSL_get_servername
          depth=0 CN = looker.local
          verify error:num=20:unable to get local issuer certificate
          verify return:1
          depth=0 CN = looker.local
          verify error:num=21:unable to verify the first certificate
          verify return:1
          ---
          Certificate chain
           0 s:CN = looker.local
             i:CN = looker.local
          ---
          Server certificate
          -----BEGIN CERTIFICATE-----
          MIIDIzCCAgugAwIBAgIQaqpfV3ZBoJxNdp0R7qmQQDANBgkqhkiG9w0BAQUFADAX
          MRUwEwYDVQQDDAxsb29rZXIubG9jYWwwIBcNMjIwNjA0MjI1MjA2WhgPMjA3MjA2
          MDQyMjUyMDZaMBcxFTATBgNVBAMMDGxvb2tlci5sb2NhbDCCASIwDQYJKoZIhvcN
          AQEBBQADggEPADCCAQoCggEBAMDIncyCwl69sZ2zGkvYnxMxFnu9v30/CFGUl2hD
          c3RD+ewczpmt5ZBsbZW4+/qqlWYaRKdM7x1EyFO4sK1EgXruXLpqeDGNVHTAEmWb
          Bg6l41wOdm+q2SR2Wb1x8hHJ9DZ3eHFoCW0UN76zku0FYh0e+KyJjSRVbqwrpAZn
          tsu9tERGETQSyPwdMVlfbOsWE1yw4SIgDfHZFa0VNPUWYyyNrwEdpRHWSFmumC7l
          y3Sk8oh1wMK/D9Yxm3qViTKwZDEoPtt/YG8bJiJ13thrwGtTmrsJiOZN5qrVsM14
          ZVWS20ZnR+9/5btQVn24zksc51f2YCc3jJx3CMY44SxKWsUCAwEAAaNpMGcwDgYD
          VR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDATAXBgNV
          HREEEDAOggxsb29rZXIubG9jYWwwHQYDVR0OBBYEFFiIAFjGDQprBeweCYs0IJoC
          ybMMMA0GCSqGSIb3DQEBBQUAA4IBAQBXoc9/jbvFvv9z/hqb2v7239CZrQo1TLzn
          bd8dNaAxV5WlQmG+YeoMD+IEMYqtefuQ//zM/bOW7HE+LMuVicParJ8ulNB/4BGC
          HlvrmD0rlAmwFc5mqVD9/D1HIgr8HD/GA2qwFWE3obT5aOFpBFY7moDQ4G3ITs6x
          xK+f1Y4hEEwDIE3HKuAiQrmAescCpfPF/PHVZ8LhWuzf8sp2kdGOkssUXHgEt2hw
          JwUxWHITzfQINbotQebZtT5XAHro6o2RWHNr4JPXAQO2d/mXM7D0vVElxRvbn3bQ
          I4b4Du9NqY5fSFIwihtJSBUxogE6utRN8zd7DIBGEcilsn78E5Sa
          -----END CERTIFICATE-----
          subject=CN = looker.local