Can we change cipher preference from client to server in SG

Search Guard
#1

Elasticsearch version: 7.8.0

Describe the issue:
Is it possible to change cipher preference from client to server in searchguard, when I have executed nmap command it is giving me below output.
nmap --script +ssl-enum-ciphers -p 9200

PORT STATE SERVICE
9200/tcp open wap-wsp
| ssl-enum-ciphers:
| TLSv1.2:
| ciphers:
|
| compressors:
| NULL
| cipher preference: client
|_ least strength: A

here in the above output cipher preference is showing as client which I need to set to server, if there is any way to change this preference then please guide me.

#2

I’m not sure I understand you. What do you want to achieve in the end?

#3

Hi @srgbnd , thanks for response, here we want to set cipher preference to server. from the above example (output of the nmap command) cipher preference is cipher preference: client, but we want to set cipher preference: server.

#4

Hi @mohitj252
Now Search Guard doesn’t have an option to set the cipher preference side. Do you fear the client can abuse it by negotiating a less secure cipher? Then limit number of accepted ciphers and TLS protocols on the Search Guard side, for example
elasticsearch.yml

searchguard.ssl.http.enabled_ciphers:
  - "TLS_DHE_RSA_WITH_AES_256_CBC_SHA"
  - "TLS_DHE_DSS_WITH_AES_128_CBC_SHA256"
searchguard.ssl.http.enabled_protocols:
  - "TLSv1.1"
  - "TLSv1.2"