es version: 2.2.0
sg2 version: 2-2.2.0.0-alpha2
sg-ssl version: search-guard-ssl-2.2.0.6
openssl version: 1.0.2h
elasticeasrch.yml:
network.host: 0.0.0.0
searchguard.authcz.admin_dn:
- “CN=kirk,OU=client,O=client,l=tEst, C=De”
searchguard.allow_all_from_loopback: true
searchguard.ssl.transport.enforce_hostname_verification: false
searchguard.ssl.transport.resolve_hostname: false
searchguard.ssl.transport.enable_openssl_if_available: false
searchguard.ssl.transport.truststore_filepath: truststore.jks
searchguard.ssl.transport.keystore_filepath: node-0-keystore.jks
searchguard.ssl.http.enable_openssl_if_available: false
searchguard.ssl.http.truststore_filepath: truststore.jks
searchguard.ssl.http.keystore_filepath: node-0-keystore.jks
``
I use static linked jar as mentioned in openssl.md, that is netty-tcnative-openssl-static-1.1.33.Fork16-fg01-linux-x86_64.jar
When es is started as normal, I got the follow exception:
[com.floragunn.searchguard.ssl.transport.SearchGuardSSLNettyTransport] [Katrina Luisa van Horne] exception caught on transport layer [[id: 0xbef734e4, /0:0:0:0:0:0:0:1:10804 => /0:0:0:0:0:0:0:1:9300]], closing connection
java.lang.RuntimeException: java.security.KeyException
at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1429)
at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:535)
at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:813)
at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:781)
at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624)
at org.jboss.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1218)
at org.jboss.netty.handler.ssl.SslHandler.decode(SslHandler.java:852)
at org.jboss.netty.handler.codec.frame.FrameDecoder.callDecode(FrameDecoder.java:425)
at org.jboss.netty.handler.codec.frame.FrameDecoder.messageReceived(FrameDecoder.java:303)
at org.jboss.netty.channel.SimpleChannelUpstreamHandler.handleUpstream(SimpleChannelUpstreamHandler.java:70)
at org.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:564)
at org.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:559)
at org.jboss.netty.channel.Channels.fireMessageReceived(Channels.java:268)
at org.jboss.netty.channel.Channels.fireMessageReceived(Channels.java:255)
at org.jboss.netty.channel.socket.nio.NioWorker.read(NioWorker.java:88)
at org.jboss.netty.channel.socket.nio.AbstractNioWorker.process(AbstractNioWorker.java:108)
at org.jboss.netty.channel.socket.nio.AbstractNioSelector.run(AbstractNioSelector.java:337)
at org.jboss.netty.channel.socket.nio.AbstractNioWorker.run(AbstractNioWorker.java:89)
at org.jboss.netty.channel.socket.nio.NioWorker.run(NioWorker.java:178)
at org.jboss.netty.util.ThreadRenamingRunnable.run(ThreadRenamingRunnable.java:108)
at org.jboss.netty.util.internal.DeadLockProofWorker$1.run(DeadLockProofWorker.java:42)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)
Caused by: java.security.ProviderException: java.security.KeyException
at sun.security.ec.ECKeyPairGenerator.generateKeyPair(ECKeyPairGenerator.java:147)
at java.security.KeyPairGenerator$Delegate.generateKeyPair(KeyPairGenerator.java:703)
at sun.security.ssl.ECDHCrypt.(ECDHCrypt.java:64)
at sun.security.ssl.ServerHandshaker.setupEphemeralECDHKeys(ServerHandshaker.java:1432)
at sun.security.ssl.ServerHandshaker.trySetCipherSuite(ServerHandshaker.java:1219)
at sun.security.ssl.ServerHandshaker.chooseCipherSuite(ServerHandshaker.java:1023)
at sun.security.ssl.ServerHandshaker.clientHello(ServerHandshaker.java:738)
at sun.security.ssl.ServerHandshaker.processMessage(ServerHandshaker.java:221)
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979)
at sun.security.ssl.Handshaker$1.run(Handshaker.java:919)
at sun.security.ssl.Handshaker$1.run(Handshaker.java:916)
at java.security.AccessController.doPrivileged(Native Method)
at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1369)
at org.jboss.netty.handler.ssl.SslHandler.runDelegatedTasks(SslHandler.java:1392)
at org.jboss.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1255)
… 18 more
Caused by: java.security.KeyException
at sun.security.ec.ECKeyPairGenerator.generateECKeyPair(Native Method)
at sun.security.ec.ECKeyPairGenerator.generateKeyPair(ECKeyPairGenerator.java:128)
… 32 more
``
and after enable_openssl_if_available is changed to true, the follow exception shows:
[com.floragunn.searchguard.ssl.transport.SearchGuardSSLNettyTransport] [Matt Murdock] exception caught on transport layer [[id: 0x83b7f149, /127.0.0.1:52052 => /127.0.0.1:9300]], closing connection
java.lang.AbstractMethodError
at org.apache.tomcat.jni.SSL.readFromSSL(Native Method)
at io.netty.handler.ssl.OpenSslEngine.readPlaintextData(OpenSslEngine.java:364)
at io.netty.handler.ssl.OpenSslEngine.unwrap(OpenSslEngine.java:697)
at io.netty.handler.ssl.OpenSslEngine.unwrap(OpenSslEngine.java:803)
at io.netty.handler.ssl.OpenSslEngine.unwrap(OpenSslEngine.java:846)
at org.jboss.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1218)
at org.jboss.netty.handler.ssl.SslHandler.decode(SslHandler.java:852)
at org.jboss.netty.handler.codec.frame.FrameDecoder.callDecode(FrameDecoder.java:425)
at org.jboss.netty.handler.codec.frame.FrameDecoder.messageReceived(FrameDecoder.java:303)
at org.jboss.netty.channel.SimpleChannelUpstreamHandler.handleUpstream(SimpleChannelUpstreamHandler.java:70)
at org.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:564)
at org.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:559)
at org.jboss.netty.channel.Channels.fireMessageReceived(Channels.java:268)
at org.jboss.netty.channel.Channels.fireMessageReceived(Channels.java:255)
at org.jboss.netty.channel.socket.nio.NioWorker.read(NioWorker.java:88)
at org.jboss.netty.channel.socket.nio.AbstractNioWorker.process(AbstractNioWorker.java:108)
at org.jboss.netty.channel.socket.nio.AbstractNioSelector.run(AbstractNioSelector.java:337)
at org.jboss.netty.channel.socket.nio.AbstractNioWorker.run(AbstractNioWorker.java:89)
at org.jboss.netty.channel.socket.nio.NioWorker.run(NioWorker.java:178)
at org.jboss.netty.util.ThreadRenamingRunnable.run(ThreadRenamingRunnable.java:108)
at org.jboss.netty.util.internal.DeadLockProofWorker$1.run(DeadLockProofWorker.java:42)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)
``
And both “/_searchguard/sslinfo?pretty” api show “Search Guard not initialized (SG11)”
···
As I have configed them successfully in Windows7 before(JDK ssl provider), after I copy the whole WINDOWS ES folder to CentOS and replace the static linked tcnative, then the “/_searchguard/sslinfo?pretty” api successfully responses as follow:
{
principal: null,
peer_certificates: “0”,
ssl_protocol: null,
ssl_cipher: null,
ssl_openssl_available: true,
ssl_openssl_version: 268443791,
ssl_openssl_version_string: “OpenSSL 1.0.2h 3 May 2016”,
ssl_openssl_non_available_cause: “”,
ssl_provider_http: null,
ssl_provider_transport_server: “JDK”,
ssl_provider_transport_client: “JDK”}
``
no matter I use openssl provider or jdk provider, and the Basic Auth works fine. But I still get “exception caught on transport layer” exception when starting es, and can’t update SG config with sgadmin – when sgadmin runs, the same “exception caught on transport layer” exception alerts.