Introduction
HCP Terraform Agents users may have a requirement at the proxy servers that restricts agents' outgoing HTTPS connections to use specific TLS versions. TFC-agents provided by HashiCorp are not aware of the TLS versions that are enabled for app.terraform.io and do not currently have the option to force HTTPS connection on a specific TLS version. However, this can be achieved at the OS level. In this tutorial, I am sharing how to configure the TLS version restriction on Linux systems.
Available TLS Versions for app.terraform.io
| SSL/TLS Versions | Status | Deprecated |
|---|---|---|
| TLS v1.3 | Enabled | False |
| TLS v1.2 | Enabled | False |
| TLS v1.1 | Disabled | True |
| TLS v1.0 | Disabled | True |
| SSLv3 | Disabled | True |
| SSLv2 | Disabled | True |
As of 2026/02/04, the available TLS versions are TLS 1.2 and TLS 1.3.
- Source: https://www.cdn77.com/tls-test/result?domain=app.terraform.io
Procedure
Here is an example for forcing all outbound HTTPS connections to app.terraform.io to use TLS 1.2.
-
For applications that use OpenSSL (most common):
-
Adding these lines to
/etc/ssl/openssl.cnf,[system_default_sect] CipherString = DEFAULT:@SECLEVEL=2 MinProtocol = TLSv1.2 MaxProtocol = TLSv1.2Also making sure the /etc/ssl/openssl.cnf contains this lines (usually already existed by default)
[ssl_sect] system_default = system_default_sect
-
- For applications that use GnuTLS,
-
Adding these lines to
/etc/gnutls/config,[overrides] disabled-version = tls1.0 disabled-version = tls1.1 disabled-version = tls1.3
-