Problem
A vulnerability scan may report that TLS 1.0 and TLS 1.1 are enabled on a Terraform Enterprise installation that is fronted by a load balancer. This can occur even though Terraform Enterprise itself does not support these older TLS versions.
Cause
This issue is typically caused by the load balancer in front of the Terraform Enterprise installation being configured to accept TLS 1.0 and TLS 1.1 connections.
Solutions
Solution 1: Reconfigure the Load Balancer
This solution involves two steps: first, verifying that the load balancer is the source of the issue, and second, updating its configuration.
Verify the TLS Connection Source
You can confirm that the load balancer is accepting older TLS versions by running the following
curlcommand against your Terraform Enterprise URL. This command attempts a connection using onlyTLS 1.0orTLS 1.1.$ curl <TFE_URL> --verbose --tlsv1.0 --tls-max 1.1
If the connection succeeds, it confirms that a device in front of Terraform Enterprise, such as your load balancer, is accepting the outdated TLS versions.
Update Load Balancer Configuration
To resolve this issue, modify your load balancer's configuration to disable support for
TLS 1.0andTLS 1.1. The specific steps will vary depending on your load balancer provider (e.g., AWS ALB, F5, NGINX). You should configure the load balancer's security policy or TLS settings to only allowTLS 1.2or newer.
Additional Information
For more details on networking requirements, refer to the official Terraform Enterprise reference architecture documentation.