Enable TLS 1.2 / TLS 1.3 and disable older TLS versions

In Opsview version 6.6.6 and above, you can enable TLS 1.2 and disable older TLS versions by editing the agent configuration file on the host running the agent.

Prerequisites Copied

• None

Process Copied

1. Log in to the host running the agent.
2. Open the /opt/opsview/agent/etc/nrpe.cfg file in your preferred text editor.
3. Change the protocols=... line to:

protocols=TLSv1_2:!SSLv2:!SSLv3:!TLSv1:!TLSv1_1

This enables TLS 1.2 and disables SSL 2, SSL 3, TLS 1 and TLS 1.1. 4. Restart the opsview-agent service:

systemctl restart opsview-agent

Windows agent Copied

Only TLS 1.2 is enabled by default in the latest versions of the Windows agent.

Infrastructure agent Copied

You can do the same on the infrastructure-agent by adding the argument NO_TLSv1_2 line in agent.yml this will currently block TLS 1.2 and leaving TLS 1.3 only, therefore only allowing TLS 1.3, the same can be done with older protocols.

vim /opt/itrs/infrastructure-agent/cfg/custom/agent.yml
nmap --script ssl-enum-ciphers -p 5666 127.0.0.1
Starting Nmap 7.92 ( https://nmap.org ) at 2025-10-20 12:52 UTC
Nmap scan report for ops.opsview (127.0.0.1)
Host is up (0.000079s latency).

PORT STATE SERVICE
5666/tcp open nrpe
| ssl-enum-ciphers:
| TLSv1.3:
| ciphers:
| TLS_AKE_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - A
| TLS_AKE_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519) - A
| TLS_AKE_WITH_AES_128_GCM_SHA256 (ecdh_x25519) - A
| cipher preference: server
|_ least strength: A

Nmap done: 1 IP address (1 host up) scanned in 0.49 seconds

Make sure you restart the infrastructure agent service after you make changed to it config yaml file