Can we change cipher preference from client to server in SG

mohitj252 · February 22, 2021, 12:48pm

Elasticsearch version: 7.8.0

Describe the issue:
Is it possible to change cipher preference from client to server in searchguard, when I have executed nmap command it is giving me below output.
nmap --script +ssl-enum-ciphers -p 9200

here in the above output cipher preference is showing as client which I need to set to server, if there is any way to change this preference then please guide me.

srgbnd · February 22, 2021, 1:51pm

I’m not sure I understand you. What do you want to achieve in the end?

mohitj252 · February 23, 2021, 5:18am

Hi @srgbnd , thanks for response, here we want to set cipher preference to server. from the above example (output of the nmap command) cipher preference is cipher preference: client, but we want to set cipher preference: server.

srgbnd · February 23, 2021, 8:48am

Hi @mohitj252
Now Search Guard doesn’t have an option to set the cipher preference side. Do you fear the client can abuse it by negotiating a less secure cipher? Then limit number of accepted ciphers and TLS protocols on the Search Guard side, for example
elasticsearch.yml

searchguard.ssl.http.enabled_ciphers:
  - "TLS_DHE_RSA_WITH_AES_256_CBC_SHA"
  - "TLS_DHE_DSS_WITH_AES_128_CBC_SHA256"
searchguard.ssl.http.enabled_protocols:
  - "TLSv1.1"
  - "TLSv1.2"

system · March 16, 2021, 8:48am

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Setting up specific tls versions and allowed ciphers. Search Guard	4	395	May 25, 2016
Searchguard cipher suite issue Search Guard	2	513	March 27, 2020
Enabled_ciphers setting is not working as expected Search Guard	2	750	May 6, 2021
Hardening TLS cipher suites without doing a full-cluster restart Search Guard	2	345	January 6, 2021
Search Guard client configuration issue Search Guard	1	615	March 12, 2019

Can we change cipher preference from client to server in SG

Related Topics