diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc
index 4c046134ddb..ed6738ada14 100644
--- a/CHANGELOG.next.asciidoc
+++ b/CHANGELOG.next.asciidoc
@@ -32,6 +32,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
 
 *Affecting all Beats*
 
+- Fix a logging bug when `ssl.verification_mode` was set to `full` or `certificate`, the command `test output` incorrectly logged that TLS was disabled. {pull}30331[30331]
 
 *Auditbeat*
 
diff --git a/libbeat/common/transport/tls.go b/libbeat/common/transport/tls.go
index 5f8ade67012..25b116d8998 100644
--- a/libbeat/common/transport/tls.go
+++ b/libbeat/common/transport/tls.go
@@ -154,7 +154,21 @@ func tlsDialWith(
 		}
 	}
 
-	if tlsConfig.InsecureSkipVerify {
+	// config might be nil, so get the zero-value and then read what is in config.
+	// We assume that the zero-value is the default value
+	var verification tlscommon.TLSVerificationMode
+	if config != nil {
+		verification = config.Verification
+	}
+
+	// We only check the status of config.Verification (`ssl.verification_mode`
+	// in the configuration file) because we have a custom verification logic
+	// implemented by setting tlsConfig.VerifyConnection that runs regardless of
+	// the status of tlsConfig.InsecureSkipVerify.
+	// For verification modes VerifyFull and VerifyCeritifcate we set
+	// tlsConfig.InsecureSkipVerify to true, hence it's not an indicator of
+	// whether TLS verification is enabled or not.
+	if verification == tlscommon.VerifyNone {
 		d.Warn("security", "server's certificate chain verification is disabled")
 	} else {
 		d.Info("security", "server's certificate chain verification is enabled")