How to disable legacy TLS versions on the Telegraf container in VMware Blockchain nodes
Article ID: 317032
Updated On:
Products
VMware Blockchain
Issue/Introduction
The purpose of this article is to understand how you can disable weaker TLS versions (1.0 and 1.1) from the Telegraf container in the VMware Blockchain replica and client nodes.
Symptoms:
Symptoms:
- Legacy TLS versions appear as enabled in your scan of VMware Blockchain nodes
- This is observed in both Blockchain replica and client nodes
- You would like to disable TLS legacy versions 1.0 and 1.1 from the Telegraf containers.
Environment
VMware Blockchain 1.5
VMware Blockchain 1.3
VMware Blockchain 1.4
VMware Blockchain 1.2
VMware Blockchain 1.3
VMware Blockchain 1.4
VMware Blockchain 1.2
Resolution
Follow the below steps to disable the weaker TLS versions in Blockchain replica or client nodes.
The below is a snippet from the telegraf.conf file with the tls_min_version = "TLS12" added to it:
- SSH into the first blockchain replica/client node.
- Using a text editor, open the /config/telegraf/telegraf.conf file.
- Add a tls_min_version entry to the end of the /config/telegraf/telegraf.conf file (example below).
- Save and close the file.
- Issue the following command to restart the Telegraf container:
docker restart telegraf
- Repeat steps one through five for all client/replica nodes.
The below is a snippet from the telegraf.conf file with the tls_min_version = "TLS12" added to it:
# Telegraf pull metrics configuration
[[outputs.prometheus_client]]
## Address to listen on
listen = ":9273"
## Use HTTP Basic Authentication.
basic_username = "xxxxxxx"
basic_password = "xxxxxxx"
## Path to publish the metrics on.
path = "/metrics"
## enable TLS with the given certificate if provided by users
tls_cert = "/config/telegraf/certs/prometheus_client/telegraf.crt"
tls_key = "/config/telegraf/certs/prometheus_client/telegraf.key"
## Minimum TLS version that is acceptable.
tls_min_version = "TLS12"
[[outputs.prometheus_client]]
## Address to listen on
listen = ":9273"
## Use HTTP Basic Authentication.
basic_username = "xxxxxxx"
basic_password = "xxxxxxx"
## Path to publish the metrics on.
path = "/metrics"
## enable TLS with the given certificate if provided by users
tls_cert = "/config/telegraf/certs/prometheus_client/telegraf.crt"
tls_key = "/config/telegraf/certs/prometheus_client/telegraf.key"
## Minimum TLS version that is acceptable.
tls_min_version = "TLS12"
Additional Information
If a VMware Blockchain deployment is scaled up (i.e., more replica or client nodes are added), the new nodes will not have this modification made. You will need to repeat these steps on any newly added nodes.
Feedback
Yes
No
Powered by
