diff --git a/internal/pkg/config/config.go b/internal/pkg/config/config.go
index a64884e67..1ffb4697d 100644
--- a/internal/pkg/config/config.go
+++ b/internal/pkg/config/config.go
@@ -15,12 +15,17 @@ import (
 	"github.com/gofrs/uuid"
 	"github.com/rs/zerolog"
 
+	"github.com/elastic/elastic-agent-libs/transport/tlscommon"
 	"github.com/elastic/fleet-server/v7/version"
 	"github.com/elastic/go-ucfg"
 	"github.com/elastic/go-ucfg/flag"
 	"github.com/elastic/go-ucfg/yaml"
 )
 
+func init() {
+	tlscommon.SetInsecureDefaults()
+}
+
 // DefaultOptions defaults options used to read the configuration
 var DefaultOptions = []ucfg.Option{
 	ucfg.PathSep("."),
diff --git a/internal/pkg/config/config_test.go b/internal/pkg/config/config_test.go
index f2ee8f34b..e43d17b18 100644
--- a/internal/pkg/config/config_test.go
+++ b/internal/pkg/config/config_test.go
@@ -7,11 +7,13 @@
 package config
 
 import (
+	"crypto/tls"
 	"path/filepath"
 	"sync/atomic"
 	"testing"
 	"time"
 
+	"github.com/elastic/elastic-agent-libs/transport/tlscommon"
 	testlog "github.com/elastic/fleet-server/v7/internal/pkg/testing/log"
 
 	"github.com/gofrs/uuid"
@@ -621,3 +623,27 @@ func TestDeprecationWarnings(t *testing.T) {
 	require.NoError(t, err)
 	assert.Equal(t, uint64(3), logCount.Load(), "Expected 3 log messages")
 }
+
+func TestTLSDefaults(t *testing.T) {
+	c, err := LoadFile(filepath.Join("testdata", "tls.yml"))
+	require.NoError(t, err)
+	require.NotNil(t, c.Output.Elasticsearch.TLS)
+
+	common, err := tlscommon.LoadTLSConfig(c.Output.Elasticsearch.TLS)
+	require.NoError(t, err)
+	cfg := common.ToConfig()
+	assert.Equal(t, uint16(tls.VersionTLS11), cfg.MinVersion)
+	assert.Equal(t, uint16(tls.VersionTLS13), cfg.MaxVersion)
+}
+
+func TestTLS10(t *testing.T) {
+	c, err := LoadFile(filepath.Join("testdata", "tls10.yml"))
+	require.NoError(t, err)
+	require.NotNil(t, c.Output.Elasticsearch.TLS)
+
+	common, err := tlscommon.LoadTLSConfig(c.Output.Elasticsearch.TLS)
+	require.NoError(t, err)
+	cfg := common.ToConfig()
+	assert.Equal(t, uint16(tls.VersionTLS10), cfg.MinVersion)
+	assert.Equal(t, uint16(tls.VersionTLS10), cfg.MaxVersion)
+}
diff --git a/internal/pkg/config/testdata/tls.yml b/internal/pkg/config/testdata/tls.yml
new file mode 100644
index 000000000..a3bc5ecab
--- /dev/null
+++ b/internal/pkg/config/testdata/tls.yml
@@ -0,0 +1,10 @@
+output:
+  elasticsearch:
+    hosts: ["localhost:9200"]
+    service_token: "test-token"
+    ssl:
+      enabled: true
+fleet:
+  agent:
+    id: 1e4954ce-af37-4731-9f4a-407b08e69e42
+
diff --git a/internal/pkg/config/testdata/tls10.yml b/internal/pkg/config/testdata/tls10.yml
new file mode 100644
index 000000000..570d5f004
--- /dev/null
+++ b/internal/pkg/config/testdata/tls10.yml
@@ -0,0 +1,11 @@
+output:
+  elasticsearch:
+    hosts: ["localhost:9200"]
+    service_token: "test-token"
+    ssl:
+      enabled: true
+      supported_protocols:
+        - TLSv1.0
+fleet:
+  agent:
+    id: 1e4954ce-af37-4731-9f4a-407b08e69e42