Mattermost Peer-to-Peer Forum

Adjust TLS Settings


#1

For feature requests, please see: http://www.mattermost.org/feature-requests/.

For troubleshooting questions, please post in the following format:

Summary

Disabling TLSv1.0, but keep TLSv1.1 and TLSv1.2 active.

Steps to reproduce

I am using Mattermost 5.4 on a Centos7/RHEL7 server.

Expected behavior

I am trying to disable TLSv1.0 from being used on the webpage. When I look at the traffic now I notice that Mattermost still has the ability to talk on TLSv1.0 which my organization does not like.

Observed behavior

I don’t have any errors at this time. I do have TLS enabled and it is working well with self created certs. I just want to modify the TLS settings and I am note sure where they exist.


#2

Hi @unawareIT,

You can find TLS settings at System Console > General > Configuration - there will be settings like these: https://docs.mattermost.com/administration/config-settings.html#connection-security.

Let me know if this helps.


#3

@amy.blais Thank you for the response! I have followed the guide you referenced and everything went well. I am able to connect to my mattermost server over port 443 and I have the proper certs so that the server is trusted. I am also using TLS, but the TLS versions that are being used are TLSv1.0, TLSv1.1 and TLSv1.2.

I just need to stop using TLSv1.0 as it is vulnerable. Is there a way to disable TLSv1.0 specifically?


#4

Hi @unawareIT,

Currently there isn’t a way to disable specific TLS versions in Mattermost server. I just realized we have a ticket to fix this: https://mattermost.atlassian.net/browse/MM-10861. The fix will allow setting TLSv1.2 as a default.

A pull request for it has already been submitted and it will be available in v5.6 release (to be released on December 16th).

In the meanwhile, we recommend that you use a proxy such as Nginx and set up TLS on that proxy. This will give you much more control over how TLS is implemented and greatly improve performance.

Here are two pieces of documentation that will help you in getting a proxy set up (if you haven’t already):