diff --git a/changelog/fragments/1729782694-Fleet-Server-uses-'ssl.verification_mode:-certificate'-by-default-for-incomming-client-connections.yaml b/changelog/fragments/1729782694-Fleet-Server-uses-'ssl.verification_mode:-certificate'-by-default-for-incomming-client-connections.yaml
new file mode 100644
index 000000000..ceefc9357
--- /dev/null
+++ b/changelog/fragments/1729782694-Fleet-Server-uses-'ssl.verification_mode:-certificate'-by-default-for-incomming-client-connections.yaml
@@ -0,0 +1,44 @@
+# Kind can be one of:
+# - breaking-change: a change to previously-documented behavior
+# - deprecation: functionality that is being removed in a later release
+# - bug-fix: fixes a problem in a previous version
+# - enhancement: extends functionality but does not break or fix existing behavior
+# - feature: new functionality
+# - known-issue: problems that we are aware of in a given version
+# - security: impacts on the security of a product or a user’s deployment.
+# - upgrade: important information for someone upgrading from a prior version
+# - other: does not fit into any of the other categories
+kind: feature
+
+# Change summary; a 80ish characters long description of the change.
+summary: |
+  Fleet Server uses 'ssl.verification_mode: certificate' by default for incoming client connections
+
+# Long description; in case the summary is not enough to describe the change
+# this field accommodate a description without length limits.
+# NOTE: This field will be rendered only for breaking-change and known-issue kinds at the moment.
+description: |
+  Fleet Server now uses [github/com/elastic/elastic-agent-libs v0.14.0](https://github.com/elastic/elastic-agent-libs/releases/tag/v0.14.0) 
+  which by default configures server TLS verification mode as 'certificate'.
+  With this new default, when Fleet Server runs with Mutual TLS (mTLS) enabled,
+  it will only verify the presented client certificate during the TLS handshake,
+  without further validation against the `server_name` extension. Therefore
+  respecting the correct use of the 'server_name' extension as defined by
+  [RFC 6066](https://datatracker.ietf.org/doc/html/rfc6066). Previously
+  Fleet Server would attempt to perform a match, between the 'server_name' sent
+  by the client to either the client's certificate CN (common name), SANs or IPs.
+  Such verification would cause a rejection of the client's certificate if it
+  did not contain Fleet Server's host in either the CN, SANs or IPs.
+
+# Affected component; a word indicating the component this changeset affects.
+component:
+
+# PR URL; optional; the PR number that added the changeset.
+# If not present is automatically filled by the tooling finding the PR where this changelog fragment has been added.
+# NOTE: the tooling supports backports, so it's able to fill the original PR number instead of the backport PR number.
+# Please provide it if you are adding a fragment for a different PR.
+#pr: https://github.com/owner/repo/1234
+
+# Issue URL; optional; the GitHub issue related to this changeset (either closes or is part of).
+# If not present is automatically filled by the tooling with the issue linked to the PR number.
+#issue: https://github.com/owner/repo/1234