From dff3b2e383d2b86fc1053b6b3672edcae1be60d9 Mon Sep 17 00:00:00 2001
From: kruskal <99559985+kruskall@users.noreply.github.com>
Date: Fri, 10 Jan 2025 18:12:41 +0100
Subject: [PATCH 1/3] docs: update config comments about tls default values

fix default tls protocols
---
 apm-server.docker.yml | 32 ++++++++++++++++----------------
 apm-server.yml        | 32 ++++++++++++++++----------------
 2 files changed, 32 insertions(+), 32 deletions(-)

diff --git a/apm-server.docker.yml b/apm-server.docker.yml
index f5fba96ea9d..60b493fb3b3 100644
--- a/apm-server.docker.yml
+++ b/apm-server.docker.yml
@@ -113,7 +113,7 @@ apm-server:
     #key_passphrase: ''
 
     # List of supported/valid protocol versions. By default TLS versions 1.1 up to 1.3 are enabled.
-    #supported_protocols: [TLSv1.1, TLSv1.2, TLSv1.3]
+    #supported_protocols: [TLSv1.2, TLSv1.2, TLSv1.3]
 
     # Configure cipher suites to be used for SSL connections.
     # Note that cipher suites are not configurable for TLS 1.3.
@@ -261,9 +261,9 @@ apm-server:
     # production environments is strongly discouraged.
     #ssl.verification_mode: full
 
-    # List of supported/valid TLS versions. By default all TLS versions 1.0 up to
-    # 1.2 are enabled.
-    #ssl.supported_protocols: [TLSv1.0, TLSv1.1, TLSv1.2]
+    # List of supported/valid TLS versions. By default all TLS versions 1.2 up to
+    # 1.3 are enabled.
+    #ssl.supported_protocols: [TLSv1.2, TLSv1.3]
 
     # List of root certificates for HTTPS server verifications.
     #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"]
@@ -397,9 +397,9 @@ output.elasticsearch:
   # production environments is strongly discouraged.
   #ssl.verification_mode: full
 
-  # List of supported/valid TLS versions. By default all TLS versions 1.0 up to
-  # 1.2 are enabled.
-  #ssl.supported_protocols: [TLSv1.0, TLSv1.1, TLSv1.2]
+  # List of supported/valid TLS versions. By default all TLS versions 1.2 up to
+  # 1.3 are enabled.
+  #ssl.supported_protocols: [TLSv1.2, TLSv1.3]
 
   # List of root certificates for HTTPS server verifications.
   #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"]
@@ -517,9 +517,9 @@ output.elasticsearch:
   # production environments is strongly discouraged.
   #ssl.verification_mode: full
 
-  # List of supported/valid TLS versions. By default all TLS versions 1.0 up to
-  # 1.2 are enabled.
-  #ssl.supported_protocols: [TLSv1.0, TLSv1.1, TLSv1.2]
+  # List of supported/valid TLS versions. By default all TLS versions 1.2 up to
+  # 1.3 are enabled.
+  #ssl.supported_protocols: [TLSv1.2, TLSv1.3]
 
   # List of root certificates for HTTPS server verifications.
   #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"]
@@ -676,9 +676,9 @@ output.elasticsearch:
   # production environments is strongly discouraged.
   #ssl.verification_mode: full
 
-  # List of supported/valid TLS versions. By default all TLS versions 1.0 up to
-  # 1.2 are enabled.
-  #ssl.supported_protocols: [TLSv1.0, TLSv1.1, TLSv1.2]
+  # List of supported/valid TLS versions. By default all TLS versions 1.2 up to
+  # 1.3 are enabled.
+  #ssl.supported_protocols: [TLSv1.2, TLSv1.3]
 
   # List of root certificates for HTTPS server verifications.
   #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"]
@@ -924,9 +924,9 @@ output.elasticsearch:
   # production environments is strongly discouraged.
   #ssl.verification_mode: full
 
-  # List of supported/valid TLS versions. By default all TLS versions 1.0 up to
-  # 1.2 are enabled.
-  #ssl.supported_protocols: [TLSv1.0, TLSv1.1, TLSv1.2]
+  # List of supported/valid TLS versions. By default all TLS versions 1.2 up to
+  # 1.3 are enabled.
+  #ssl.supported_protocols: [TLSv1.2, TLSv1.3]
 
   # List of root certificates for HTTPS server verifications.
   #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"]
diff --git a/apm-server.yml b/apm-server.yml
index 35800aafd13..fafb845231e 100644
--- a/apm-server.yml
+++ b/apm-server.yml
@@ -113,7 +113,7 @@ apm-server:
     #key_passphrase: ''
 
     # List of supported/valid protocol versions. By default TLS versions 1.1 up to 1.3 are enabled.
-    #supported_protocols: [TLSv1.1, TLSv1.2, TLSv1.3]
+    #supported_protocols: [TLSv1.2, TLSv1.2, TLSv1.3]
 
     # Configure cipher suites to be used for SSL connections.
     # Note that cipher suites are not configurable for TLS 1.3.
@@ -261,9 +261,9 @@ apm-server:
     # production environments is strongly discouraged.
     #ssl.verification_mode: full
 
-    # List of supported/valid TLS versions. By default all TLS versions 1.0 up to
-    # 1.2 are enabled.
-    #ssl.supported_protocols: [TLSv1.0, TLSv1.1, TLSv1.2]
+    # List of supported/valid TLS versions. By default all TLS versions 1.2 up to
+    # 1.3 are enabled.
+    #ssl.supported_protocols: [TLSv1.2, TLSv1.3]
 
     # List of root certificates for HTTPS server verifications.
     #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"]
@@ -397,9 +397,9 @@ output.elasticsearch:
   # production environments is strongly discouraged.
   #ssl.verification_mode: full
 
-  # List of supported/valid TLS versions. By default all TLS versions 1.0 up to
-  # 1.2 are enabled.
-  #ssl.supported_protocols: [TLSv1.0, TLSv1.1, TLSv1.2]
+  # List of supported/valid TLS versions. By default all TLS versions 1.2 up to
+  # 1.3 are enabled.
+  #ssl.supported_protocols: [TLSv1.2, TLSv1.3]
 
   # List of root certificates for HTTPS server verifications.
   #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"]
@@ -517,9 +517,9 @@ output.elasticsearch:
   # production environments is strongly discouraged.
   #ssl.verification_mode: full
 
-  # List of supported/valid TLS versions. By default all TLS versions 1.0 up to
-  # 1.2 are enabled.
-  #ssl.supported_protocols: [TLSv1.0, TLSv1.1, TLSv1.2]
+  # List of supported/valid TLS versions. By default all TLS versions 1.2 up to
+  # 1.3 are enabled.
+  #ssl.supported_protocols: [TLSv1.2, TLSv1.3]
 
   # List of root certificates for HTTPS server verifications.
   #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"]
@@ -676,9 +676,9 @@ output.elasticsearch:
   # production environments is strongly discouraged.
   #ssl.verification_mode: full
 
-  # List of supported/valid TLS versions. By default all TLS versions 1.0 up to
-  # 1.2 are enabled.
-  #ssl.supported_protocols: [TLSv1.0, TLSv1.1, TLSv1.2]
+  # List of supported/valid TLS versions. By default all TLS versions 1.2 up to
+  # 1.3 are enabled.
+  #ssl.supported_protocols: [TLSv1.2, TLSv1.3]
 
   # List of root certificates for HTTPS server verifications.
   #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"]
@@ -924,9 +924,9 @@ output.elasticsearch:
   # production environments is strongly discouraged.
   #ssl.verification_mode: full
 
-  # List of supported/valid TLS versions. By default all TLS versions 1.0 up to
-  # 1.2 are enabled.
-  #ssl.supported_protocols: [TLSv1.0, TLSv1.1, TLSv1.2]
+  # List of supported/valid TLS versions. By default all TLS versions 1.2 up to
+  # 1.3 are enabled.
+  #ssl.supported_protocols: [TLSv1.2, TLSv1.3]
 
   # List of root certificates for HTTPS server verifications.
   #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"]

From b6b7a8ffa006d1cf65f3364fd911b0c7eac7c6d4 Mon Sep 17 00:00:00 2001
From: kruskall <99559985+kruskall@users.noreply.github.com>
Date: Mon, 13 Jan 2025 07:37:27 +0100
Subject: [PATCH 2/3] Apply suggestions from code review

Co-authored-by: Andrew Wilkins <axwalk@gmail.com>
---
 apm-server.docker.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/apm-server.docker.yml b/apm-server.docker.yml
index 60b493fb3b3..8faac23b5b4 100644
--- a/apm-server.docker.yml
+++ b/apm-server.docker.yml
@@ -112,8 +112,8 @@ apm-server:
     # It is recommended to use the provided keystore instead of entering the passphrase in plain text.
     #key_passphrase: ''
 
-    # List of supported/valid protocol versions. By default TLS versions 1.1 up to 1.3 are enabled.
-    #supported_protocols: [TLSv1.2, TLSv1.2, TLSv1.3]
+    # List of supported/valid protocol versions. By default TLS versions 1.2 up to 1.3 are enabled.
+    #supported_protocols: [TLSv1.2, TLSv1.3]
 
     # Configure cipher suites to be used for SSL connections.
     # Note that cipher suites are not configurable for TLS 1.3.

From a7f4993e5e696a0ffbc6e3f497315aec54017d04 Mon Sep 17 00:00:00 2001
From: kruskall <99559985+kruskall@users.noreply.github.com>
Date: Mon, 13 Jan 2025 07:37:59 +0100
Subject: [PATCH 3/3] Update apm-server.yml

---
 apm-server.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/apm-server.yml b/apm-server.yml
index fafb845231e..184426c878d 100644
--- a/apm-server.yml
+++ b/apm-server.yml
@@ -112,8 +112,8 @@ apm-server:
     # It is recommended to use the provided keystore instead of entering the passphrase in plain text.
     #key_passphrase: ''
 
-    # List of supported/valid protocol versions. By default TLS versions 1.1 up to 1.3 are enabled.
-    #supported_protocols: [TLSv1.2, TLSv1.2, TLSv1.3]
+    # List of supported/valid protocol versions. By default TLS versions 1.2 up to 1.3 are enabled.
+    #supported_protocols: [TLSv1.2, TLSv1.3]
 
     # Configure cipher suites to be used for SSL connections.
     # Note that cipher suites are not configurable for TLS 1.3.