certificate unknown error

Hi everyone,

I’m trying to deploy searchguard in a 3 nodes cluster.

I already did it on a 2 nodes (both local) with success.

I generated nodes certificates and client nodes certificates for applications connected to elasticsearch.

All nodes seem to start correctly and discover each other.

I tried to call elasticsearch using curl and a login/password user (defined in sg_internal_users.yml) and it works fine (I got a result with correct credentials, and Unauthorized when i use a wrong password).

But then I tried to import my generated keystore and truststore in an application using SearchGuard plugin in its transport client (java), and got the following result in the target elasticsearch node logs :

[2017-11-22T17:53:14,525][ERROR][c.f.s.s.t.SearchGuardSSLNettyTransport] [ppjbies1] SSL Problem Received fatal alert: certificate_unknown

javax.net.ssl.SSLException: Received fatal alert: certificate_unknown

at sun.security.ssl.Alerts.getSSLException(Alerts.java:208) ~[?:?]

  at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1666) ~[?:?]

at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1634) ~[?:?]

at sun.security.ssl.SSLEngineImpl.recvAlert(SSLEngineImpl.java:1800) ~[?:?]

 at sun.security.ssl.SSLEngineImpl.readRecord(SSLEngineImpl.java:1083) ~[?:?]

at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:907) ~[?:?]

at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:781) ~[?:?]

at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624) ~[?:1.8.0_144]

at io.netty.handler.ssl.SslHandler$SslEngineType$3.unwrap(SslHandler.java:254) ~[netty-handler-4.1.11.Final.jar:4.1.11.Final]

at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1156) ~[netty-handler-4.1.11.Final.jar:4.1.11.Final]

at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1078) ~[netty-handler-4.1.11.Final.jar:4.1.11.Final]

at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:489) ~[netty-codec-4.1.11.Final.jar:4.1.11.Final]

   at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:428) ~[netty-codec-4.1.11.Final.jar:4.1.11.Final]

at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:265) ~[netty-codec-4.1.11.Final.jar:4.1.11.Final]

at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) [netty-transport-4.1.11.Final.jar:4.1.11.Final]

 at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) [netty-transport-4.1.11.Final.jar:4.1.11.Final]

 at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340) [netty-transport-4.1.11.Final.jar:4.1.11.Final]

   at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1334) [netty-transport-4.1.11.Final.jar:4.1.11.Final]

at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) [netty-transport-4.1.11.Final.jar:4.1.11.Final]

 at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) [netty-transport-4.1.11.Final.jar:4.1.11.Final]

 at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:926) [netty-transport-4.1.11.Final.jar:4.1.11.Final]

 at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:134) [netty-transport-4.1.11.Final.jar:4.1.11.Final]

  at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:644) [netty-transport-4.1.11.Final.jar:4.1.11.Final]

at io.netty.channel.nio.NioEventLoop.processSelectedKeysPlain(NioEventLoop.java:544) [netty-transport-4.1.11.Final.jar:4.1.11.Final]

at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:498) [netty-transport-4.1.11.Final.jar:4.1.11.Final]

at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:458) [netty-transport-4.1.11.Final.jar:4.1.11.Final]

at io.netty.util.concurrent.SingleThreadEventExecutor$5.run(SingleThreadEventExecutor.java:858) [netty-common-4.1.11.Final.jar:4.1.11.Final]

``

This setup was working in my test setup, but here I can’t get it to work.

I found no way of logging ssl infos. I added -Djavax.net.debug=all in every location possible (jvm.options and directly in elasticsearch script), but got no ssl debug data.

The only thing i get is searhguard debug info

[2017-11-22T17:52:35,887][INFO ][o.e.n.Node ] [ppjbies1] JVM arguments [-Xms2g, -Xmx2g, -Djavax.net.debug=all, -XX:+UseConcMarkSweepGC, -XX:CMSInitiatingOccupancyFraction=75, -XX:+UseCMSInitiatingOccupancyOnly, -XX:+AlwaysPreTouch, -Xss1m, -Djava.awt.headless=true, -Dfile.encoding=UTF-8, -Djna.nosys=true, -Djdk.io.permissionsUseCanonicalPath=true, -Dio.netty.noUnsafe=true, -Dio.netty.noKeySetOptimization=true, -Dio.netty.recycler.maxCapacityPerThread=0, -Dlog4j.shutdownHookEnabled=false, -Dlog4j2.disable.jmx=true, -Dlog4j.skipJansi=true, -XX:+HeapDumpOnOutOfMemoryError, -Djavax.net.debug=all, -Des.path.home=/opt/es-home]

[2017-11-22T17:52:36,679][INFO ][c.f.s.SearchGuardPlugin ] Clustername: pp-company-es-cluster

[2017-11-22T17:52:36,679][WARN ][c.f.s.SearchGuardPlugin ]

LICENSE NOTICE Search Guard

If you use one or more of the following features in production

make sure you have a valid Search Guard license

(See https://floragunn.com/searchguard-validate-license)

  • Kibana Multitenancy

  • LDAP authentication/authorization

  • Active Directory authentication/authorization

  • REST Management API

  • JSON Web Token (JWT) authentication/authorization

  • Kerberos authentication/authorization

  • Document- and Fieldlevel Security (DLS/FLS)

  • Auditlogging

In case of any doubt mail to sales@floragunn.com

···

###################################

LICENSE NOTICE Search Guard

If you use one or more of the following features in production

make sure you have a valid Search Guard license

(See https://floragunn.com/searchguard-validate-license)

  • Kibana Multitenancy

  • LDAP authentication/authorization

  • Active Directory authentication/authorization

  • REST Management API

  • JSON Web Token (JWT) authentication/authorization

  • Kerberos authentication/authorization

  • Document- and Fieldlevel Security (DLS/FLS)

  • Auditlogging

In case of any doubt mail to sales@floragunn.com

###################################

[2017-11-22T17:52:36,680][WARN ][c.f.s.SearchGuardPlugin ] Consider setting -Djdk.tls.rejectClientInitiatedRenegotiation=true to prevent DoS attacks through client side initiated TLS renegotiation.

Consider setting -Djdk.tls.rejectClientInitiatedRenegotiation=true to prevent DoS attacks through client side initiated TLS renegotiation.

[2017-11-22T17:52:36,711][INFO ][c.f.s.SearchGuardPlugin ] Node [ppjbies1] is a transportClient: false/tribeNode: false/tribeNodeClient: false

[2017-11-22T17:52:36,712][INFO ][c.f.s.SearchGuardPlugin ] FLS/DLS module not available

[2017-11-22T17:52:36,725][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] Open SSL not available (this is not an error, we simply fallback to built-in JDK SSL) because of java.lang.ClassNotFoundException: io.netty.internal.tcnative.SSL

[2017-11-22T17:52:36,725][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.version: 1.8.0_144

[2017-11-22T17:52:36,725][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.vendor: Oracle Corporation

[2017-11-22T17:52:36,725][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.vm.specification.version: 1.8

[2017-11-22T17:52:36,725][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.vm.specification.vendor: Oracle Corporation

[2017-11-22T17:52:36,725][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.vm.specification.name: Java Virtual Machine Specification

[2017-11-22T17:52:36,725][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.vm.name: Java HotSpot™ 64-Bit Server VM

[2017-11-22T17:52:36,726][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.vm.vendor: Oracle Corporation

[2017-11-22T17:52:36,726][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.specification.version: 1.8

[2017-11-22T17:52:36,726][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.specification.vendor: Oracle Corporation

[2017-11-22T17:52:36,726][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.specification.name: Java Platform API Specification

[2017-11-22T17:52:36,726][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] os.name: Linux

[2017-11-22T17:52:36,726][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] os.arch: amd64

[2017-11-22T17:52:36,726][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] os.version: 2.6.32-642.11.1.el6.x86_64

[2017-11-22T17:52:36,919][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] JVM supports the following 57 ciphers for https [TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV, TLS_DH_anon_WITH_AES_128_GCM_SHA256, TLS_DH_anon_WITH_AES_128_CBC_SHA256, TLS_ECDH_anon_WITH_AES_128_CBC_SHA, TLS_DH_anon_WITH_AES_128_CBC_SHA, TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA, SSL_DH_anon_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_DH_anon_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA, SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA, TLS_RSA_WITH_NULL_SHA256, TLS_ECDHE_ECDSA_WITH_NULL_SHA, TLS_ECDHE_RSA_WITH_NULL_SHA, SSL_RSA_WITH_NULL_SHA, TLS_ECDH_ECDSA_WITH_NULL_SHA, TLS_ECDH_RSA_WITH_NULL_SHA, TLS_ECDH_anon_WITH_NULL_SHA, SSL_RSA_WITH_NULL_MD5, TLS_KRB5_WITH_3DES_EDE_CBC_SHA, TLS_KRB5_WITH_3DES_EDE_CBC_MD5, TLS_KRB5_WITH_DES_CBC_SHA, TLS_KRB5_WITH_DES_CBC_MD5, TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA, TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5]

[2017-11-22T17:52:36,931][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] JVM supports the following 57 ciphers for transport [TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV, TLS_DH_anon_WITH_AES_128_GCM_SHA256, TLS_DH_anon_WITH_AES_128_CBC_SHA256, TLS_ECDH_anon_WITH_AES_128_CBC_SHA, TLS_DH_anon_WITH_AES_128_CBC_SHA, TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA, SSL_DH_anon_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_DH_anon_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA, SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA, TLS_RSA_WITH_NULL_SHA256, TLS_ECDHE_ECDSA_WITH_NULL_SHA, TLS_ECDHE_RSA_WITH_NULL_SHA, SSL_RSA_WITH_NULL_SHA, TLS_ECDH_ECDSA_WITH_NULL_SHA, TLS_ECDH_RSA_WITH_NULL_SHA, TLS_ECDH_anon_WITH_NULL_SHA, SSL_RSA_WITH_NULL_MD5, TLS_KRB5_WITH_3DES_EDE_CBC_SHA, TLS_KRB5_WITH_3DES_EDE_CBC_MD5, TLS_KRB5_WITH_DES_CBC_SHA, TLS_KRB5_WITH_DES_CBC_MD5, TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA, TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5]

[2017-11-22T17:52:36,932][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] Config directory is /opt/es-data/config/, from there the key- and truststore files are resolved relatively

[2017-11-22T17:52:36,932][DEBUG][c.f.s.s.DefaultSearchGuardKeyStore] Value for searchguard.ssl.transport.keystore_filepath is /opt/es-data/config/ppjbies1-keystore.jks

[2017-11-22T17:52:36,932][DEBUG][c.f.s.s.DefaultSearchGuardKeyStore] Resolved /opt/es-data/config/ppjbies1-keystore.jks to /opt/es-data/config/ppjbies1-keystore.jks against /opt/es-data/config

[2017-11-22T17:52:36,933][DEBUG][c.f.s.s.DefaultSearchGuardKeyStore] Value for searchguard.ssl.transport.truststore_filepath is /opt/es-data/config/truststore.jks

[2017-11-22T17:52:36,933][DEBUG][c.f.s.s.DefaultSearchGuardKeyStore] Resolved /opt/es-data/config/truststore.jks to /opt/es-data/config/truststore.jks against /opt/es-data/config

[2017-11-22T17:52:36,937][DEBUG][c.f.s.s.u.SSLCertificateHelper] Keystore has 1 entries/aliases

[2017-11-22T17:52:36,937][DEBUG][c.f.s.s.u.SSLCertificateHelper] Alias ppjbies1: is a certificate entry?false/is a key entry?true

[2017-11-22T17:52:36,937][DEBUG][c.f.s.s.u.SSLCertificateHelper] Alias ppjbies1: chain len 3

[2017-11-22T17:52:36,938][DEBUG][c.f.s.s.u.SSLCertificateHelper] cert CN=ppjbies1.services.company.com, OU=APO, O=company, L=France, C=FR of type -1 -> false

[2017-11-22T17:52:36,938][DEBUG][c.f.s.s.u.SSLCertificateHelper] cert CN=company Signing CA, OU=company Signing CA, O=company, DC=company, DC=com of type 0 -> false

[2017-11-22T17:52:36,938][DEBUG][c.f.s.s.u.SSLCertificateHelper] cert CN=company Root CA, OU=company Root CA, O=company, DC=company, DC=com of type 2147483647 -> true

[2017-11-22T17:52:36,938][DEBUG][c.f.s.s.u.SSLCertificateHelper] Alias ppjbies1: single cert CN=ppjbies1.services.company.com, OU=APO, O=company, L=France, C=FR of type -1 -> false

[2017-11-22T17:52:36,939][INFO ][c.f.s.s.u.SSLCertificateHelper] No alias given, use the first one: ppjbies1

[2017-11-22T17:52:36,939][WARN ][c.f.s.s.u.SSLCertificateHelper] Certificate chain for alias ppjbies1 contains a root certificate

[2017-11-22T17:52:36,939][DEBUG][c.f.s.s.u.SSLCertificateHelper] Keystore has 1 entries/aliases

[2017-11-22T17:52:36,939][DEBUG][c.f.s.s.u.SSLCertificateHelper] Alias ppjbies1: is a certificate entry?false/is a key entry?true

[2017-11-22T17:52:36,939][DEBUG][c.f.s.s.u.SSLCertificateHelper] Alias ppjbies1: chain len 3

[2017-11-22T17:52:36,939][DEBUG][c.f.s.s.u.SSLCertificateHelper] cert CN=ppjbies1.services.company.com, OU=APO, O=company, L=France, C=FR of type -1 -> false

[2017-11-22T17:52:36,939][DEBUG][c.f.s.s.u.SSLCertificateHelper] cert CN=company Signing CA, OU=company Signing CA, O=company, DC=company, DC=com of type 0 -> false

[2017-11-22T17:52:36,939][DEBUG][c.f.s.s.u.SSLCertificateHelper] cert CN=company Root CA, OU=company Root CA, O=company, DC=company, DC=com of type 2147483647 -> true

[2017-11-22T17:52:36,940][DEBUG][c.f.s.s.u.SSLCertificateHelper] Alias ppjbies1: single cert CN=ppjbies1.services.company.com, OU=APO, O=company, L=France, C=FR of type -1 -> false

[2017-11-22T17:52:36,941][DEBUG][c.f.s.s.u.SSLCertificateHelper] Keystore has 1 entries/aliases

[2017-11-22T17:52:36,941][DEBUG][c.f.s.s.u.SSLCertificateHelper] Alias root-ca-chain: is a certificate entry?true/is a key entry?false

[2017-11-22T17:52:36,941][DEBUG][c.f.s.s.u.SSLCertificateHelper] Alias root-ca-chain: single cert CN=company Root CA, OU=company Root CA, O=company, DC=company, DC=com of type 2147483647 -> true

[2017-11-22T17:52:36,941][DEBUG][c.f.s.s.u.SSLCertificateHelper] No alias given, will trust all of the certificates in the store

[2017-11-22T17:52:36,973][DEBUG][c.f.s.s.DefaultSearchGuardKeyStore] Value for searchguard.ssl.http.keystore_filepath is /opt/es-data/config/ppjbies1-keystore.jks

[2017-11-22T17:52:36,974][DEBUG][c.f.s.s.DefaultSearchGuardKeyStore] Resolved /opt/es-data/config/ppjbies1-keystore.jks to /opt/es-data/config/ppjbies1-keystore.jks against /opt/es-data/config

[2017-11-22T17:52:36,974][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] HTTPS client auth mode OPTIONAL

[2017-11-22T17:52:36,974][DEBUG][c.f.s.s.u.SSLCertificateHelper] Keystore has 1 entries/aliases

[2017-11-22T17:52:36,974][DEBUG][c.f.s.s.u.SSLCertificateHelper] Alias ppjbies1: is a certificate entry?false/is a key entry?true

[2017-11-22T17:52:36,975][DEBUG][c.f.s.s.u.SSLCertificateHelper] Alias ppjbies1: chain len 3

[2017-11-22T17:52:36,975][DEBUG][c.f.s.s.u.SSLCertificateHelper] cert CN=ppjbies1.services.company.com, OU=APO, O=company, L=France, C=FR of type -1 -> false

[2017-11-22T17:52:36,975][DEBUG][c.f.s.s.u.SSLCertificateHelper] cert CN=company Signing CA, OU=company Signing CA, O=company, DC=company, DC=com of type 0 -> false

[2017-11-22T17:52:36,975][DEBUG][c.f.s.s.u.SSLCertificateHelper] cert CN=company Root CA, OU=company Root CA, O=company, DC=company, DC=com of type 2147483647 -> true

[2017-11-22T17:52:36,975][DEBUG][c.f.s.s.u.SSLCertificateHelper] Alias ppjbies1: single cert CN=ppjbies1.services.company.com, OU=APO, O=company, L=France, C=FR of type -1 -> false

[2017-11-22T17:52:36,975][INFO ][c.f.s.s.u.SSLCertificateHelper] No alias given, use the first one: ppjbies1

[2017-11-22T17:52:36,975][WARN ][c.f.s.s.u.SSLCertificateHelper] Certificate chain for alias ppjbies1 contains a root certificate

[2017-11-22T17:52:36,975][DEBUG][c.f.s.s.u.SSLCertificateHelper] Keystore has 1 entries/aliases

[2017-11-22T17:52:36,975][DEBUG][c.f.s.s.u.SSLCertificateHelper] Alias ppjbies1: is a certificate entry?false/is a key entry?true

[2017-11-22T17:52:36,976][DEBUG][c.f.s.s.u.SSLCertificateHelper] Alias ppjbies1: chain len 3

[2017-11-22T17:52:36,976][DEBUG][c.f.s.s.u.SSLCertificateHelper] cert CN=ppjbies1.services.company.com, OU=APO, O=company, L=France, C=FR of type -1 -> false

[2017-11-22T17:52:36,976][DEBUG][c.f.s.s.u.SSLCertificateHelper] cert CN=company Signing CA, OU=company Signing CA, O=company, DC=company, DC=com of type 0 -> false

[2017-11-22T17:52:36,976][DEBUG][c.f.s.s.u.SSLCertificateHelper] cert CN=company Root CA, OU=company Root CA, O=company, DC=company, DC=com of type 2147483647 -> true

[2017-11-22T17:52:36,976][DEBUG][c.f.s.s.u.SSLCertificateHelper] Alias ppjbies1: single cert CN=ppjbies1.services.company.com, OU=APO, O=company, L=France, C=FR of type -1 -> false

[2017-11-22T17:52:36,976][DEBUG][c.f.s.s.DefaultSearchGuardKeyStore] Value for searchguard.ssl.http.truststore_filepath is /opt/es-data/config/truststore.jks

[2017-11-22T17:52:36,977][DEBUG][c.f.s.s.DefaultSearchGuardKeyStore] Resolved /opt/es-data/config/truststore.jks to /opt/es-data/config/truststore.jks against /opt/es-data/config

[2017-11-22T17:52:36,977][DEBUG][c.f.s.s.u.SSLCertificateHelper] Keystore has 1 entries/aliases

[2017-11-22T17:52:36,977][DEBUG][c.f.s.s.u.SSLCertificateHelper] Alias root-ca-chain: is a certificate entry?true/is a key entry?false

[2017-11-22T17:52:36,978][DEBUG][c.f.s.s.u.SSLCertificateHelper] Alias root-ca-chain: single cert CN=company Root CA, OU=company Root CA, O=company, DC=company, DC=com of type 2147483647 -> true

[2017-11-22T17:52:36,978][DEBUG][c.f.s.s.u.SSLCertificateHelper] No alias given, will trust all of the certificates in the store

[2017-11-22T17:52:36,983][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] AES-256 not supported, max key length for AES is 128 bit… That is not an issue, it just limits possible encryption strength. To enable AES 256 install ‘Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files’

[2017-11-22T17:52:36,983][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] sslTransportClientProvider:JDK with ciphers [TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256]

[2017-11-22T17:52:36,983][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] sslTransportServerProvider:JDK with ciphers [TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256]

[2017-11-22T17:52:36,984][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] sslHTTPProvider:JDK with ciphers [TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256]

[2017-11-22T17:52:36,984][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] sslTransport protocols [TLSv1.2, TLSv1.1]

[2017-11-22T17:52:36,984][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] sslHTTP protocols [TLSv1.2, TLSv1.1]

[2017-11-22T17:52:36,987][INFO ][o.e.p.PluginsService ] [ppjbies1] loaded module [aggs-matrix-stats]

[2017-11-22T17:52:36,987][INFO ][o.e.p.PluginsService ] [ppjbies1] loaded module [ingest-common]

[2017-11-22T17:52:36,987][INFO ][o.e.p.PluginsService ] [ppjbies1] loaded module [lang-expression]

[2017-11-22T17:52:36,987][INFO ][o.e.p.PluginsService ] [ppjbies1] loaded module [lang-groovy]

[2017-11-22T17:52:36,987][INFO ][o.e.p.PluginsService ] [ppjbies1] loaded module [lang-mustache]

[2017-11-22T17:52:36,987][INFO ][o.e.p.PluginsService ] [ppjbies1] loaded module [lang-painless]

[2017-11-22T17:52:36,987][INFO ][o.e.p.PluginsService ] [ppjbies1] loaded module [parent-join]

[2017-11-22T17:52:36,987][INFO ][o.e.p.PluginsService ] [ppjbies1] loaded module [percolator]

[2017-11-22T17:52:36,987][INFO ][o.e.p.PluginsService ] [ppjbies1] loaded module [reindex]

[2017-11-22T17:52:36,987][INFO ][o.e.p.PluginsService ] [ppjbies1] loaded module [transport-netty3]

[2017-11-22T17:52:36,988][INFO ][o.e.p.PluginsService ] [ppjbies1] loaded module [transport-netty4]

[2017-11-22T17:52:36,988][INFO ][o.e.p.PluginsService ] [ppjbies1] loaded plugin [search-guard-5]

[2017-11-22T17:52:38,566][DEBUG][o.e.a.ActionModule ] Using REST wrapper from plugin com.floragunn.searchguard.SearchGuardPlugin

[2017-11-22T17:52:38,617][INFO ][c.f.s.SearchGuardPlugin ] FLS/DLS valve not bound (noop) due to java.lang.ClassNotFoundException: com.floragunn.searchguard.configuration.DlsFlsValveImpl

[2017-11-22T17:52:38,618][INFO ][c.f.s.SearchGuardPlugin ] Auditlog not available due to java.lang.ClassNotFoundException: com.floragunn.searchguard.auditlog.impl.AuditLogImpl

[2017-11-22T17:52:38,619][DEBUG][c.f.s.SearchGuardPlugin ] Using com.floragunn.searchguard.transport.DefaultInterClusterRequestEvaluator as intercluster request evaluator class

[2017-11-22T17:52:38,620][INFO ][c.f.s.SearchGuardPlugin ] Privileges interceptor not bound (noop) due to java.lang.ClassNotFoundException: com.floragunn.searchguard.configuration.PrivilegesInterceptorImpl

[2017-11-22T17:52:38,629][DEBUG][c.f.s.c.AdminDNs ] CN=sgadmin,OU=APO,O=company,L=France,C=FR is registered as an admin dn

[2017-11-22T17:52:38,631][DEBUG][c.f.s.c.AdminDNs ] Loaded 1 admin DN’s [CN=sgadmin,OU=APO,O=company,L=France,C=FR]

[2017-11-22T17:52:38,632][DEBUG][c.f.s.c.AdminDNs ] Loaded 0 impersonation DN’s {}

[2017-11-22T17:52:38,645][DEBUG][c.f.s.c.ConfigurationLoader] Index is: searchguard

[2017-11-22T17:52:38,646][DEBUG][c.f.s.c.IndexBaseConfigurationRepository] Subscribe on configuration changes by type config with listener com.floragunn.searchguard.http.XFFResolver@32120956

[2017-11-22T17:52:38,674][DEBUG][c.f.s.c.IndexBaseConfigurationRepository] Subscribe on configuration changes by type config with listener com.floragunn.searchguard.auth.BackendRegistry@67770b37

[2017-11-22T17:52:38,717][DEBUG][c.f.s.h.SearchGuardHttpServerTransport] [ppjbies1] using max_chunk_size[8kb], max_header_size[8kb], max_initial_line_length[4kb], max_content_length[100mb], receive_predictor[64kb->64kb], pipelining[true], pipelining_max_events[10000]

[2017-11-22T17:52:38,739][INFO ][o.e.d.DiscoveryModule ] [ppjbies1] using discovery type [zen]

[2017-11-22T17:52:39,342][INFO ][o.e.n.Node ] [ppjbies1] initialized

[2017-11-22T17:52:39,343][INFO ][o.e.n.Node ] [ppjbies1] starting …

[2017-11-22T17:52:39,413][DEBUG][c.f.s.s.t.SearchGuardSSLNettyTransport] [ppjbies1] using profile[default], worker_count[8], port[9300-9400], bind_host[null], publish_host[null], compress[false], connect_timeout[30s], connections_per_node[2/3/6/1/1], receive_predictor[64kb->64kb]

[2017-11-22T17:52:39,419][DEBUG][c.f.s.s.t.SearchGuardSSLNettyTransport] [ppjbies1] binding server bootstrap to: [0.0.0.0]

[2017-11-22T17:52:39,498][DEBUG][c.f.s.s.t.SearchGuardSSLNettyTransport] [ppjbies1] Bound profile [default] to address {0.0.0.0:9300}

[2017-11-22T17:52:39,500][INFO ][o.e.t.TransportService ] [ppjbies1] publish_address {172.21.22.38:9300}, bound_addresses {0.0.0.0:9300}

[2017-11-22T17:52:39,510][INFO ][o.e.b.BootstrapChecks ] [ppjbies1] bound or publishing to a non-loopback or non-link-local address, enforcing bootstrap checks

[2017-11-22T17:52:39,515][INFO ][c.f.s.c.IndexBaseConfigurationRepository] Check if searchguard index exists …

[2017-11-22T17:52:39,522][DEBUG][o.e.a.a.i.e.i.TransportIndicesExistsAction] [ppjbies1] no known master node, scheduling a retry

[2017-11-22T17:52:59,361][DEBUG][c.f.s.s.t.SearchGuardSSLNettyTransport] [ppjbies1] connected to node [{ppjessbi}{FVHpTmZURWGQs1yxLhu0kw}{cFtADFUYSEWk_mY6nrTCQQ}{172.21.22.37}{172.21.22.37:9300}]

[2017-11-22T17:52:59,617][DEBUG][c.f.s.s.t.SearchGuardSSLNettyTransport] [ppjbies1] connected to node [{ppjbies2}{jhcY9XfoTIikmatGsYGpZQ}{w8W6-t8JSRuyZFf00gvXLQ}{172.21.22.39}{172.21.22.39:9300}]

[2017-11-22T17:52:59,620][INFO ][o.e.c.s.ClusterSettings ] [ppjbies1] updating [cluster.routing.allocation.enable] from [ALL] to [all]

[2017-11-22T17:52:59,926][DEBUG][c.f.s.h.SearchGuardHttpServerTransport] [ppjbies1] Bound http to address {0.0.0.0:9200}

[2017-11-22T17:52:59,928][INFO ][c.f.s.h.SearchGuardHttpServerTransport] [ppjbies1] publish_address {172.21.22.38:9200}, bound_addresses {0.0.0.0:9200}

[2017-11-22T17:52:59,929][INFO ][o.e.n.Node ] [ppjbies1] started

[2017-11-22T17:53:00,698][DEBUG][c.f.s.c.IndexBaseConfigurationRepository] Node started, try to initialize it. Wait for at least yellow cluster state…

[2017-11-22T17:53:00,762][DEBUG][c.f.s.c.IndexBaseConfigurationRepository] Try to load config …

[2017-11-22T17:53:02,080][DEBUG][c.f.s.c.ConfigurationLoader] Received config for config (of [config, roles, rolesmapping, internalusers, actiongroups]) with current latch value=4

[2017-11-22T17:53:02,087][DEBUG][c.f.s.c.ConfigurationLoader] Received config for roles (of [config, roles, rolesmapping, internalusers, actiongroups]) with current latch value=3

[2017-11-22T17:53:02,091][DEBUG][c.f.s.c.ConfigurationLoader] Received config for rolesmapping (of [config, roles, rolesmapping, internalusers, actiongroups]) with current latch value=2

[2017-11-22T17:53:02,093][DEBUG][c.f.s.c.ConfigurationLoader] Received config for internalusers (of [config, roles, rolesmapping, internalusers, actiongroups]) with current latch value=1

[2017-11-22T17:53:02,096][DEBUG][c.f.s.c.ConfigurationLoader] Received config for actiongroups (of [config, roles, rolesmapping, internalusers, actiongroups]) with current latch value=0

[2017-11-22T17:53:02,096][DEBUG][c.f.s.c.IndexBaseConfigurationRepository] Retrieved [rolesmapping, config, internalusers, actiongroups, roles] configs

[2017-11-22T17:53:03,177][DEBUG][c.f.s.c.ConfigurationLoader] Received config for config (of [config, roles, rolesmapping, internalusers, actiongroups]) with current latch value=4

[2017-11-22T17:53:03,177][DEBUG][c.f.s.c.ConfigurationLoader] Received config for roles (of [config, roles, rolesmapping, internalusers, actiongroups]) with current latch value=3

[2017-11-22T17:53:03,178][DEBUG][c.f.s.c.ConfigurationLoader] Received config for rolesmapping (of [config, roles, rolesmapping, internalusers, actiongroups]) with current latch value=2

[2017-11-22T17:53:03,178][DEBUG][c.f.s.c.ConfigurationLoader] Received config for internalusers (of [config, roles, rolesmapping, internalusers, actiongroups]) with current latch value=1

[2017-11-22T17:53:03,181][DEBUG][c.f.s.c.IndexBaseConfigurationRepository] Notify com.floragunn.searchguard.http.XFFResolver@32120956 listener about change configuration with type config

[2017-11-22T17:53:03,181][DEBUG][c.f.s.c.IndexBaseConfigurationRepository] Notify com.floragunn.searchguard.auth.BackendRegistry@67770b37 listener about change configuration with type config

[2017-11-22T17:53:03,184][INFO ][c.f.s.c.IndexBaseConfigurationRepository] Node ‘ppjbies1’ initialized

[2017-11-22T17:53:03,184][DEBUG][c.f.s.c.ConfigurationLoader] Received config for actiongroups (of [config, roles, rolesmapping, internalusers, actiongroups]) with current latch value=0

[2017-11-22T17:53:04,225][ERROR][c.f.s.s.t.SearchGuardSSLNettyTransport] [ppjbies1] SSL Problem Received fatal alert: certificate_unknown

``

And i configured each node this way, configured users, roles, actions and so on, then installed them using sgadmin.sh, whcih finished with success message.

######## Start Search Guard Configuration ########

searchguard.ssl.transport.enabled: true

searchguard.ssl.transport.keystore_filepath: /opt/es-data/config/ppjessbi-keystore.jks

searchguard.ssl.transport.truststore_filepath: /opt/es-data/config/truststore.jks

searchguard.ssl.transport.enforce_hostname_verification: false

searchguard.ssl.http.enabled: true

searchguard.ssl.http.keystore_filepath: /opt/es-data/config/ppjessbi-keystore.jks

searchguard.ssl.http.truststore_filepath: /opt/es-data/config/truststore.jks

The setting below informs SearchGuard of all client certificates allowed to administrate SearhGuard.

searchguard.authcz.admin_dn:

  • CN=sgadmin,OU=APO,O=company,L=France,C=FR

######## End Search Guard Configuration ########

``

I would really appreciate if someone could help.

Does any one have any idea ?
@SearchGuard, you closed the related issue in github, but could you try to help ? I have no clue on what the problem could be, and can’t manage to activate javax.net.debug.

···

On Wednesday, November 22, 2017 at 7:18:36 PM UTC+1, Frédéric Esnault wrote:

Hi everyone,

I’m trying to deploy searchguard in a 3 nodes cluster.

I already did it on a 2 nodes (both local) with success.

I generated nodes certificates and client nodes certificates for applications connected to elasticsearch.

All nodes seem to start correctly and discover each other.

I tried to call elasticsearch using curl and a login/password user (defined in sg_internal_users.yml) and it works fine (I got a result with correct credentials, and Unauthorized when i use a wrong password).

But then I tried to import my generated keystore and truststore in an application using SearchGuard plugin in its transport client (java), and got the following result in the target elasticsearch node logs :

[2017-11-22T17:53:14,525][ERROR][c.f.s.s.t.SearchGuardSSLNettyTransport] [ppjbies1] SSL Problem Received fatal alert: certificate_unknown

javax.net.ssl.SSLException: Received fatal alert: certificate_unknown

at sun.security.ssl.Alerts.getSSLException(Alerts.java:208) ~[?:?]

  at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1666) ~[?:?]

at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1634) ~[?:?]

at sun.security.ssl.SSLEngineImpl.recvAlert(SSLEngineImpl.java:1800) ~[?:?]

 at sun.security.ssl.SSLEngineImpl.readRecord(SSLEngineImpl.java:1083) ~[?:?]
at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:907) ~[?:?]

at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:781) ~[?:?]

at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624) ~[?:1.8.0_144]

at io.netty.handler.ssl.SslHandler$SslEngineType$3.unwrap(SslHandler.java:254) ~[netty-handler-4.1.11.Final.jar:4.1.11.Final]

at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1156) ~[netty-handler-4.1.11.Final.jar:4.1.11.Final]

at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1078) ~[netty-handler-4.1.11.Final.jar:4.1.11.Final]

at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:489) ~[netty-codec-4.1.11.Final.jar:4.1.11.Final]

   at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:428) ~[netty-codec-4.1.11.Final.jar:4.1.11.Final]

at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:265) ~[netty-codec-4.1.11.Final.jar:4.1.11.Final]

at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) [netty-transport-4.1.11.Final.jar:4.1.11.Final]

 at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) [netty-transport-4.1.11.Final.jar:4.1.11.Final]
 at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340) [netty-transport-4.1.11.Final.jar:4.1.11.Final]
   at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1334) [netty-transport-4.1.11.Final.jar:4.1.11.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) [netty-transport-4.1.11.Final.jar:4.1.11.Final]
 at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) [netty-transport-4.1.11.Final.jar:4.1.11.Final]
 at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:926) [netty-transport-4.1.11.Final.jar:4.1.11.Final]
 at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:134) [netty-transport-4.1.11.Final.jar:4.1.11.Final]
  at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:644) [netty-transport-4.1.11.Final.jar:4.1.11.Final]

at io.netty.channel.nio.NioEventLoop.processSelectedKeysPlain(NioEventLoop.java:544) [netty-transport-4.1.11.Final.jar:4.1.11.Final]

at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:498) [netty-transport-4.1.11.Final.jar:4.1.11.Final]

at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:458) [netty-transport-4.1.11.Final.jar:4.1.11.Final]

at io.netty.util.concurrent.SingleThreadEventExecutor$5.run(SingleThreadEventExecutor.java:858) [netty-common-4.1.11.Final.jar:4.1.11.Final]

``

This setup was working in my test setup, but here I can’t get it to work.

I found no way of logging ssl infos. I added -Djavax.net.debug=all in every location possible (jvm.options and directly in elasticsearch script), but got no ssl debug data.

The only thing i get is searhguard debug info

[2017-11-22T17:52:35,887][INFO ][o.e.n.Node ] [ppjbies1] JVM arguments [-Xms2g, -Xmx2g, -Djavax.net.debug=all, -XX:+UseConcMarkSweepGC, -XX:CMSInitiatingOccupancyFraction=75, -XX:+UseCMSInitiatingOccupancyOnly, -XX:+AlwaysPreTouch, -Xss1m, -Djava.awt.headless=true, -Dfile.encoding=UTF-8, -Djna.nosys=true, -Djdk.io.permissionsUseCanonicalPath=true, -Dio.netty.noUnsafe=true, -Dio.netty.noKeySetOptimization=true, -Dio.netty.recycler.maxCapacityPerThread=0, -Dlog4j.shutdownHookEnabled=false, -Dlog4j2.disable.jmx=true, -Dlog4j.skipJansi=true, -XX:+HeapDumpOnOutOfMemoryError, -Djavax.net.debug=all, -Des.path.home=/opt/es-home]

[2017-11-22T17:52:36,679][INFO ][c.f.s.SearchGuardPlugin ] Clustername: pp-company-es-cluster

[2017-11-22T17:52:36,679][WARN ][c.f.s.SearchGuardPlugin ]

LICENSE NOTICE Search Guard

If you use one or more of the following features in production

make sure you have a valid Search Guard license

(See https://floragunn.com/searchguard-validate-license)

  • Kibana Multitenancy
  • LDAP authentication/authorization
  • Active Directory authentication/authorization
  • REST Management API
  • JSON Web Token (JWT) authentication/authorization
  • Kerberos authentication/authorization
  • Document- and Fieldlevel Security (DLS/FLS)
  • Auditlogging

In case of any doubt mail to sales@floragunn.com

###################################

LICENSE NOTICE Search Guard

If you use one or more of the following features in production

make sure you have a valid Search Guard license

(See https://floragunn.com/searchguard-validate-license)

  • Kibana Multitenancy
  • LDAP authentication/authorization
  • Active Directory authentication/authorization
  • REST Management API
  • JSON Web Token (JWT) authentication/authorization
  • Kerberos authentication/authorization
  • Document- and Fieldlevel Security (DLS/FLS)
  • Auditlogging

In case of any doubt mail to sales@floragunn.com

###################################

[2017-11-22T17:52:36,680][WARN ][c.f.s.SearchGuardPlugin ] Consider setting -Djdk.tls.rejectClientInitiatedRenegotiation=true to prevent DoS attacks through client side initiated TLS renegotiation.

Consider setting -Djdk.tls.rejectClientInitiatedRenegotiation=true to prevent DoS attacks through client side initiated TLS renegotiation.

[2017-11-22T17:52:36,711][INFO ][c.f.s.SearchGuardPlugin ] Node [ppjbies1] is a transportClient: false/tribeNode: false/tribeNodeClient: false

[2017-11-22T17:52:36,712][INFO ][c.f.s.SearchGuardPlugin ] FLS/DLS module not available

[2017-11-22T17:52:36,725][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] Open SSL not available (this is not an error, we simply fallback to built-in JDK SSL) because of java.lang.ClassNotFoundException: io.netty.internal.tcnative.SSL

[2017-11-22T17:52:36,725][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.version: 1.8.0_144

[2017-11-22T17:52:36,725][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.vendor: Oracle Corporation

[2017-11-22T17:52:36,725][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.vm.specification.version: 1.8

[2017-11-22T17:52:36,725][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.vm.specification.vendor: Oracle Corporation

[2017-11-22T17:52:36,725][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.vm.specification.name: Java Virtual Machine Specification

[2017-11-22T17:52:36,725][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.vm.name: Java HotSpot™ 64-Bit Server VM

[2017-11-22T17:52:36,726][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.vm.vendor: Oracle Corporation

[2017-11-22T17:52:36,726][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.specification.version: 1.8

[2017-11-22T17:52:36,726][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.specification.vendor: Oracle Corporation

[2017-11-22T17:52:36,726][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.specification.name: Java Platform API Specification

[2017-11-22T17:52:36,726][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] os.name: Linux

[2017-11-22T17:52:36,726][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] os.arch: amd64

[2017-11-22T17:52:36,726][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] os.version: 2.6.32-642.11.1.el6.x86_64

[2017-11-22T17:52:36,919][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] JVM supports the following 57 ciphers for https [TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV, TLS_DH_anon_WITH_AES_128_GCM_SHA256, TLS_DH_anon_WITH_AES_128_CBC_SHA256, TLS_ECDH_anon_WITH_AES_128_CBC_SHA, TLS_DH_anon_WITH_AES_128_CBC_SHA, TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA, SSL_DH_anon_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_DH_anon_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA, SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA, TLS_RSA_WITH_NULL_SHA256, TLS_ECDHE_ECDSA_WITH_NULL_SHA, TLS_ECDHE_RSA_WITH_NULL_SHA, SSL_RSA_WITH_NULL_SHA, TLS_ECDH_ECDSA_WITH_NULL_SHA, TLS_ECDH_RSA_WITH_NULL_SHA, TLS_ECDH_anon_WITH_NULL_SHA, SSL_RSA_WITH_NULL_MD5, TLS_KRB5_WITH_3DES_EDE_CBC_SHA, TLS_KRB5_WITH_3DES_EDE_CBC_MD5, TLS_KRB5_WITH_DES_CBC_SHA, TLS_KRB5_WITH_DES_CBC_MD5, TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA, TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5]

[2017-11-22T17:52:36,931][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] JVM supports the following 57 ciphers for transport [TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV, TLS_DH_anon_WITH_AES_128_GCM_SHA256, TLS_DH_anon_WITH_AES_128_CBC_SHA256, TLS_ECDH_anon_WITH_AES_128_CBC_SHA, TLS_DH_anon_WITH_AES_128_CBC_SHA, TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA, SSL_DH_anon_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_DH_anon_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA, SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA, TLS_RSA_WITH_NULL_SHA256, TLS_ECDHE_ECDSA_WITH_NULL_SHA, TLS_ECDHE_RSA_WITH_NULL_SHA, SSL_RSA_WITH_NULL_SHA, TLS_ECDH_ECDSA_WITH_NULL_SHA, TLS_ECDH_RSA_WITH_NULL_SHA, TLS_ECDH_anon_WITH_NULL_SHA, SSL_RSA_WITH_NULL_MD5, TLS_KRB5_WITH_3DES_EDE_CBC_SHA, TLS_KRB5_WITH_3DES_EDE_CBC_MD5, TLS_KRB5_WITH_DES_CBC_SHA, TLS_KRB5_WITH_DES_CBC_MD5, TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA, TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5]

[2017-11-22T17:52:36,932][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] Config directory is /opt/es-data/config/, from there the key- and truststore files are resolved relatively

[2017-11-22T17:52:36,932][DEBUG][c.f.s.s.DefaultSearchGuardKeyStore] Value for searchguard.ssl.transport.keystore_filepath is /opt/es-data/config/ppjbies1-keystore.jks

[2017-11-22T17:52:36,932][DEBUG][c.f.s.s.DefaultSearchGuardKeyStore] Resolved /opt/es-data/config/ppjbies1-keystore.jks to /opt/es-data/config/ppjbies1-keystore.jks against /opt/es-data/config

[2017-11-22T17:52:36,933][DEBUG][c.f.s.s.DefaultSearchGuardKeyStore] Value for searchguard.ssl.transport.truststore_filepath is /opt/es-data/config/truststore.jks

[2017-11-22T17:52:36,933][DEBUG][c.f.s.s.DefaultSearchGuardKeyStore] Resolved /opt/es-data/config/truststore.jks to /opt/es-data/config/truststore.jks against /opt/es-data/config

[2017-11-22T17:52:36,937][DEBUG][c.f.s.s.u.SSLCertificateHelper] Keystore has 1 entries/aliases

[2017-11-22T17:52:36,937][DEBUG][c.f.s.s.u.SSLCertificateHelper] Alias ppjbies1: is a certificate entry?false/is a key entry?true

[2017-11-22T17:52:36,937][DEBUG][c.f.s.s.u.SSLCertificateHelper] Alias ppjbies1: chain len 3

[2017-11-22T17:52:36,938][DEBUG][c.f.s.s.u.SSLCertificateHelper] cert CN=ppjbies1.services.company.com, OU=APO, O=company, L=France, C=FR of type -1 -> false

[2017-11-22T17:52:36,938][DEBUG][c.f.s.s.u.SSLCertificateHelper] cert CN=company Signing CA, OU=company Signing CA, O=company, DC=company, DC=com of type 0 -> false

[2017-11-22T17:52:36,938][DEBUG][c.f.s.s.u.SSLCertificateHelper] cert CN=company Root CA, OU=company Root CA, O=company, DC=company, DC=com of type 2147483647 -> true

[2017-11-22T17:52:36,938][DEBUG][c.f.s.s.u.SSLCertificateHelper] Alias ppjbies1: single cert CN=ppjbies1.services.company.com, OU=APO, O=company, L=France, C=FR of type -1 -> false

[2017-11-22T17:52:36,939][INFO ][c.f.s.s.u.SSLCertificateHelper] No alias given, use the first one: ppjbies1

[2017-11-22T17:52:36,939][WARN ][c.f.s.s.u.SSLCertificateHelper] Certificate chain for alias ppjbies1 contains a root certificate

[2017-11-22T17:52:36,939][DEBUG][c.f.s.s.u.SSLCertificateHelper] Keystore has 1 entries/aliases

[2017-11-22T17:52:36,939][DEBUG][c.f.s.s.u.SSLCertificateHelper] Alias ppjbies1: is a certificate entry?false/is a key entry?true

[2017-11-22T17:52:36,939][DEBUG][c.f.s.s.u.SSLCertificateHelper] Alias ppjbies1: chain len 3

[2017-11-22T17:52:36,939][DEBUG][c.f.s.s.u.SSLCertificateHelper] cert CN=ppjbies1.services.company.com, OU=APO, O=company, L=France, C=FR of type -1 -> false

[2017-11-22T17:52:36,939][DEBUG][c.f.s.s.u.SSLCertificateHelper] cert CN=company Signing CA, OU=company Signing CA, O=company, DC=company, DC=com of type 0 -> false

[2017-11-22T17:52:36,939][DEBUG][c.f.s.s.u.SSLCertificateHelper] cert CN=company Root CA, OU=company Root CA, O=company, DC=company, DC=com of type 2147483647 -> true

[2017-11-22T17:52:36,940][DEBUG][c.f.s.s.u.SSLCertificateHelper] Alias ppjbies1: single cert CN=ppjbies1.services.company.com, OU=APO, O=company, L=France, C=FR of type -1 -> false

[2017-11-22T17:52:36,941][DEBUG][c.f.s.s.u.SSLCertificateHelper] Keystore has 1 entries/aliases

[2017-11-22T17:52:36,941][DEBUG][c.f.s.s.u.SSLCertificateHelper] Alias root-ca-chain: is a certificate entry?true/is a key entry?false

[2017-11-22T17:52:36,941][DEBUG][c.f.s.s.u.SSLCertificateHelper] Alias root-ca-chain: single cert CN=company Root CA, OU=company Root CA, O=company, DC=company, DC=com of type 2147483647 -> true

[2017-11-22T17:52:36,941][DEBUG][c.f.s.s.u.SSLCertificateHelper] No alias given, will trust all of the certificates in the store

[2017-11-22T17:52:36,973][DEBUG][c.f.s.s.DefaultSearchGuardKeyStore] Value for searchguard.ssl.http.keystore_filepath is /opt/es-data/config/ppjbies1-keystore.jks

[2017-11-22T17:52:36,974][DEBUG][c.f.s.s.DefaultSearchGuardKeyStore] Resolved /opt/es-data/config/ppjbies1-keystore.jks to /opt/es-data/config/ppjbies1-keystore.jks against /opt/es-data/config

[2017-11-22T17:52:36,974][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] HTTPS client auth mode OPTIONAL

[2017-11-22T17:52:36,974][DEBUG][c.f.s.s.u.SSLCertificateHelper] Keystore has 1 entries/aliases

[2017-11-22T17:52:36,974][DEBUG][c.f.s.s.u.SSLCertificateHelper] Alias ppjbies1: is a certificate entry?false/is a key entry?true

[2017-11-22T17:52:36,975][DEBUG][c.f.s.s.u.SSLCertificateHelper] Alias ppjbies1: chain len 3

[2017-11-22T17:52:36,975][DEBUG][c.f.s.s.u.SSLCertificateHelper] cert CN=ppjbies1.services.company.com, OU=APO, O=company, L=France, C=FR of type -1 -> false

[2017-11-22T17:52:36,975][DEBUG][c.f.s.s.u.SSLCertificateHelper] cert CN=company Signing CA, OU=company Signing CA, O=company, DC=company, DC=com of type 0 -> false

[2017-11-22T17:52:36,975][DEBUG][c.f.s.s.u.SSLCertificateHelper] cert CN=company Root CA, OU=company Root CA, O=company, DC=company, DC=com of type 2147483647 -> true

[2017-11-22T17:52:36,975][DEBUG][c.f.s.s.u.SSLCertificateHelper] Alias ppjbies1: single cert CN=ppjbies1.services.company.com, OU=APO, O=company, L=France, C=FR of type -1 -> false

[2017-11-22T17:52:36,975][INFO ][c.f.s.s.u.SSLCertificateHelper] No alias given, use the first one: ppjbies1

[2017-11-22T17:52:36,975][WARN ][c.f.s.s.u.SSLCertificateHelper] Certificate chain for alias ppjbies1 contains a root certificate

[2017-11-22T17:52:36,975][DEBUG][c.f.s.s.u.SSLCertificateHelper] Keystore has 1 entries/aliases

[2017-11-22T17:52:36,975][DEBUG][c.f.s.s.u.SSLCertificateHelper] Alias ppjbies1: is a certificate entry?false/is a key entry?true

[2017-11-22T17:52:36,976][DEBUG][c.f.s.s.u.SSLCertificateHelper] Alias ppjbies1: chain len 3

[2017-11-22T17:52:36,976][DEBUG][c.f.s.s.u.SSLCertificateHelper] cert CN=ppjbies1.services.company.com, OU=APO, O=company, L=France, C=FR of type -1 -> false

[2017-11-22T17:52:36,976][DEBUG][c.f.s.s.u.SSLCertificateHelper] cert CN=company Signing CA, OU=company Signing CA, O=company, DC=company, DC=com of type 0 -> false

[2017-11-22T17:52:36,976][DEBUG][c.f.s.s.u.SSLCertificateHelper] cert CN=company Root CA, OU=company Root CA, O=company, DC=company, DC=com of type 2147483647 -> true

[2017-11-22T17:52:36,976][DEBUG][c.f.s.s.u.SSLCertificateHelper] Alias ppjbies1: single cert CN=ppjbies1.services.company.com, OU=APO, O=company, L=France, C=FR of type -1 -> false

[2017-11-22T17:52:36,976][DEBUG][c.f.s.s.DefaultSearchGuardKeyStore] Value for searchguard.ssl.http.truststore_filepath is /opt/es-data/config/truststore.jks

[2017-11-22T17:52:36,977][DEBUG][c.f.s.s.DefaultSearchGuardKeyStore] Resolved /opt/es-data/config/truststore.jks to /opt/es-data/config/truststore.jks against /opt/es-data/config

[2017-11-22T17:52:36,977][DEBUG][c.f.s.s.u.SSLCertificateHelper] Keystore has 1 entries/aliases

[2017-11-22T17:52:36,977][DEBUG][c.f.s.s.u.SSLCertificateHelper] Alias root-ca-chain: is a certificate entry?true/is a key entry?false

[2017-11-22T17:52:36,978][DEBUG][c.f.s.s.u.SSLCertificateHelper] Alias root-ca-chain: single cert CN=company Root CA, OU=company Root CA, O=company, DC=company, DC=com of type 2147483647 -> true

[2017-11-22T17:52:36,978][DEBUG][c.f.s.s.u.SSLCertificateHelper] No alias given, will trust all of the certificates in the store

[2017-11-22T17:52:36,983][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] AES-256 not supported, max key length for AES is 128 bit… That is not an issue, it just limits possible encryption strength. To enable AES 256 install ‘Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files’

[2017-11-22T17:52:36,983][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] sslTransportClientProvider:JDK with ciphers [TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256]

[2017-11-22T17:52:36,983][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] sslTransportServerProvider:JDK with ciphers [TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256]

[2017-11-22T17:52:36,984][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] sslHTTPProvider:JDK with ciphers [TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256]

[2017-11-22T17:52:36,984][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] sslTransport protocols [TLSv1.2, TLSv1.1]

[2017-11-22T17:52:36,984][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] sslHTTP protocols [TLSv1.2, TLSv1.1]

[2017-11-22T17:52:36,987][INFO ][o.e.p.PluginsService ] [ppjbies1] loaded module [aggs-matrix-stats]

[2017-11-22T17:52:36,987][INFO ][o.e.p.PluginsService ] [ppjbies1] loaded module [ingest-common]

[2017-11-22T17:52:36,987][INFO ][o.e.p.PluginsService ] [ppjbies1] loaded module [lang-expression]

[2017-11-22T17:52:36,987][INFO ][o.e.p.PluginsService ] [ppjbies1] loaded module [lang-groovy]

[2017-11-22T17:52:36,987][INFO ][o.e.p.PluginsService ] [ppjbies1] loaded module [lang-mustache]

[2017-11-22T17:52:36,987][INFO ][o.e.p.PluginsService ] [ppjbies1] loaded module [lang-painless]

[2017-11-22T17:52:36,987][INFO ][o.e.p.PluginsService ] [ppjbies1] loaded module [parent-join]

[2017-11-22T17:52:36,987][INFO ][o.e.p.PluginsService ] [ppjbies1] loaded module [percolator]

[2017-11-22T17:52:36,987][INFO ][o.e.p.PluginsService ] [ppjbies1] loaded module [reindex]

[2017-11-22T17:52:36,987][INFO ][o.e.p.PluginsService ] [ppjbies1] loaded module [transport-netty3]

[2017-11-22T17:52:36,988][INFO ][o.e.p.PluginsService ] [ppjbies1] loaded module [transport-netty4]

[2017-11-22T17:52:36,988][INFO ][o.e.p.PluginsService ] [ppjbies1] loaded plugin [search-guard-5]

[2017-11-22T17:52:38,566][DEBUG][o.e.a.ActionModule ] Using REST wrapper from plugin com.floragunn.searchguard.SearchGuardPlugin

[2017-11-22T17:52:38,617][INFO ][c.f.s.SearchGuardPlugin ] FLS/DLS valve not bound (noop) due to java.lang.ClassNotFoundException: com.floragunn.searchguard.configuration.DlsFlsValveImpl

[2017-11-22T17:52:38,618][INFO ][c.f.s.SearchGuardPlugin ] Auditlog not available due to java.lang.ClassNotFoundException: com.floragunn.searchguard.auditlog.impl.AuditLogImpl

[2017-11-22T17:52:38,619][DEBUG][c.f.s.SearchGuardPlugin ] Using com.floragunn.searchguard.transport.DefaultInterClusterRequestEvaluator as intercluster request evaluator class

[2017-11-22T17:52:38,620][INFO ][c.f.s.SearchGuardPlugin ] Privileges interceptor not bound (noop) due to java.lang.ClassNotFoundException: com.floragunn.searchguard.configuration.PrivilegesInterceptorImpl

[2017-11-22T17:52:38,629][DEBUG][c.f.s.c.AdminDNs ] CN=sgadmin,OU=APO,O=company,L=France,C=FR is registered as an admin dn

[2017-11-22T17:52:38,631][DEBUG][c.f.s.c.AdminDNs ] Loaded 1 admin DN’s [CN=sgadmin,OU=APO,O=company,L=France,C=FR]

[2017-11-22T17:52:38,632][DEBUG][c.f.s.c.AdminDNs ] Loaded 0 impersonation DN’s {}

[2017-11-22T17:52:38,645][DEBUG][c.f.s.c.ConfigurationLoader] Index is: searchguard

[2017-11-22T17:52:38,646][DEBUG][c.f.s.c.IndexBaseConfigurationRepository] Subscribe on configuration changes by type config with listener com.floragunn.searchguard.http.XFFResolver@32120956

[2017-11-22T17:52:38,674][DEBUG][c.f.s.c.IndexBaseConfigurationRepository] Subscribe on configuration changes by type config with listener com.floragunn.searchguard.auth.BackendRegistry@67770b37

[2017-11-22T17:52:38,717][DEBUG][c.f.s.h.SearchGuardHttpServerTransport] [ppjbies1] using max_chunk_size[8kb], max_header_size[8kb], max_initial_line_length[4kb], max_content_length[100mb], receive_predictor[64kb->64kb], pipelining[true], pipelining_max_events[10000]

[2017-11-22T17:52:38,739][INFO ][o.e.d.DiscoveryModule ] [ppjbies1] using discovery type [zen]

[2017-11-22T17:52:39,342][INFO ][o.e.n.Node ] [ppjbies1] initialized

[2017-11-22T17:52:39,343][INFO ][o.e.n.Node ] [ppjbies1] starting …

[2017-11-22T17:52:39,413][DEBUG][c.f.s.s.t.SearchGuardSSLNettyTransport] [ppjbies1] using profile[default], worker_count[8], port[9300-9400], bind_host[null], publish_host[null], compress[false], connect_timeout[30s], connections_per_node[2/3/6/1/1], receive_predictor[64kb->64kb]

[2017-11-22T17:52:39,419][DEBUG][c.f.s.s.t.SearchGuardSSLNettyTransport] [ppjbies1] binding server bootstrap to: [0.0.0.0]

[2017-11-22T17:52:39,498][DEBUG][c.f.s.s.t.SearchGuardSSLNettyTransport] [ppjbies1] Bound profile [default] to address {0.0.0.0:9300}

[2017-11-22T17:52:39,500][INFO ][o.e.t.TransportService ] [ppjbies1] publish_address {172.21.22.38:9300}, bound_addresses {0.0.0.0:9300}

[2017-11-22T17:52:39,510][INFO ][o.e.b.BootstrapChecks ] [ppjbies1] bound or publishing to a non-loopback or non-link-local address, enforcing bootstrap checks

[2017-11-22T17:52:39,515][INFO ][c.f.s.c.IndexBaseConfigurationRepository] Check if searchguard index exists …

[2017-11-22T17:52:39,522][DEBUG][o.e.a.a.i.e.i.TransportIndicesExistsAction] [ppjbies1] no known master node, scheduling a retry

[2017-11-22T17:52:59,361][DEBUG][c.f.s.s.t.SearchGuardSSLNettyTransport] [ppjbies1] connected to node [{ppjessbi}{FVHpTmZURWGQs1yxLhu0kw}{cFtADFUYSEWk_mY6nrTCQQ}{172.21.22.37}{172.21.22.37:9300}]

[2017-11-22T17:52:59,617][DEBUG][c.f.s.s.t.SearchGuardSSLNettyTransport] [ppjbies1] connected to node [{ppjbies2}{jhcY9XfoTIikmatGsYGpZQ}{w8W6-t8JSRuyZFf00gvXLQ}{172.21.22.39}{172.21.22.39:9300}]

[2017-11-22T17:52:59,620][INFO ][o.e.c.s.ClusterSettings ] [ppjbies1] updating [cluster.routing.allocation.enable] from [ALL] to [all]

[2017-11-22T17:52:59,926][DEBUG][c.f.s.h.SearchGuardHttpServerTransport] [ppjbies1] Bound http to address {0.0.0.0:9200}

[2017-11-22T17:52:59,928][INFO ][c.f.s.h.SearchGuardHttpServerTransport] [ppjbies1] publish_address {172.21.22.38:9200}, bound_addresses {0.0.0.0:9200}

[2017-11-22T17:52:59,929][INFO ][o.e.n.Node ] [ppjbies1] started

[2017-11-22T17:53:00,698][DEBUG][c.f.s.c.IndexBaseConfigurationRepository] Node started, try to initialize it. Wait for at least yellow cluster state…

[2017-11-22T17:53:00,762][DEBUG][c.f.s.c.IndexBaseConfigurationRepository] Try to load config …

[2017-11-22T17:53:02,080][DEBUG][c.f.s.c.ConfigurationLoader] Received config for config (of [config, roles, rolesmapping, internalusers, actiongroups]) with current latch value=4

[2017-11-22T17:53:02,087][DEBUG][c.f.s.c.ConfigurationLoader] Received config for roles (of [config, roles, rolesmapping, internalusers, actiongroups]) with current latch value=3

[2017-11-22T17:53:02,091][DEBUG][c.f.s.c.ConfigurationLoader] Received config for rolesmapping (of [config, roles, rolesmapping, internalusers, actiongroups]) with current latch value=2

[2017-11-22T17:53:02,093][DEBUG][c.f.s.c.ConfigurationLoader] Received config for internalusers (of [config, roles, rolesmapping, internalusers, actiongroups]) with current latch value=1

[2017-11-22T17:53:02,096][DEBUG][c.f.s.c.ConfigurationLoader] Received config for actiongroups (of [config, roles, rolesmapping, internalusers, actiongroups]) with current latch value=0

[2017-11-22T17:53:02,096][DEBUG][c.f.s.c.IndexBaseConfigurationRepository] Retrieved [rolesmapping, config, internalusers, actiongroups, roles] configs

[2017-11-22T17:53:03,177][DEBUG][c.f.s.c.ConfigurationLoader] Received config for config (of [config, roles, rolesmapping, internalusers, actiongroups]) with current latch value=4

[2017-11-22T17:53:03,177][DEBUG][c.f.s.c.ConfigurationLoader] Received config for roles (of [config, roles, rolesmapping, internalusers, actiongroups]) with current latch value=3

[2017-11-22T17:53:03,178][DEBUG][c.f.s.c.ConfigurationLoader] Received config for rolesmapping (of [config, roles, rolesmapping, internalusers, actiongroups]) with current latch value=2

[2017-11-22T17:53:03,178][DEBUG][c.f.s.c.ConfigurationLoader] Received config for internalusers (of [config, roles, rolesmapping, internalusers, actiongroups]) with current latch value=1

[2017-11-22T17:53:03,181][DEBUG][c.f.s.c.IndexBaseConfigurationRepository] Notify com.floragunn.searchguard.http.XFFResolver@32120956 listener about change configuration with type config

[2017-11-22T17:53:03,181][DEBUG][c.f.s.c.IndexBaseConfigurationRepository] Notify com.floragunn.searchguard.auth.BackendRegistry@67770b37 listener about change configuration with type config

[2017-11-22T17:53:03,184][INFO ][c.f.s.c.IndexBaseConfigurationRepository] Node ‘ppjbies1’ initialized

[2017-11-22T17:53:03,184][DEBUG][c.f.s.c.ConfigurationLoader] Received config for actiongroups (of [config, roles, rolesmapping, internalusers, actiongroups]) with current latch value=0

[2017-11-22T17:53:04,225][ERROR][c.f.s.s.t.SearchGuardSSLNettyTransport] [ppjbies1] SSL Problem Received fatal alert: certificate_unknown

``

And i configured each node this way, configured users, roles, actions and so on, then installed them using sgadmin.sh, whcih finished with success message.

######## Start Search Guard Configuration ########

searchguard.ssl.transport.enabled: true

searchguard.ssl.transport.keystore_filepath: /opt/es-data/config/ppjessbi-keystore.jks

searchguard.ssl.transport.truststore_filepath: /opt/es-data/config/truststore.jks

searchguard.ssl.transport.enforce_hostname_verification: false

searchguard.ssl.http.enabled: true

searchguard.ssl.http.keystore_filepath: /opt/es-data/config/ppjessbi-keystore.jks

searchguard.ssl.http.truststore_filepath: /opt/es-data/config/truststore.jks

The setting below informs SearchGuard of all client certificates allowed to administrate SearhGuard.

searchguard.authcz.admin_dn:

  • CN=sgadmin,OU=APO,O=company,L=France,C=FR

######## End Search Guard Configuration ########

``

I would really appreciate if someone could help.

The output of -Djavax.net.debug=all goes to stdout (and so probably not into the logfile dependet from the way you installes ES. Maybe look in the systemd journal or start in in foreground mode).

"certificate_unknown" just means that the certificates in your keystore are not trusted by the root ca in your truststore. Maybe you messed up your certs somehow? Did you generate them from the same root ca?
What sounds strange to me is that you get it working with 2 nodes out of 3. Can you check whats different between the 2 working nodes and the 3rd node which does not work?

Pls post also the sgadmin command you use. Maybe the certs for sgadmin are not matching those which are deployed in the nodes?

···

Am 24.11.2017 um 08:38 schrieb Frédéric Esnault <frederic.esnault@ovyka.com>:

Does any one have any idea ?
@SearchGuard, you closed the related issue in github, but could you try to help ? I have no clue on what the problem could be, and can't manage to activate javax.net.debug.

On Wednesday, November 22, 2017 at 7:18:36 PM UTC+1, Frédéric Esnault wrote:
Hi everyone,

I'm trying to deploy searchguard in a 3 nodes cluster.
I already did it on a 2 nodes (both local) with success.

I generated nodes certificates and client nodes certificates for applications connected to elasticsearch.
All nodes seem to start correctly and discover each other.

I tried to call elasticsearch using curl and a login/password user (defined in sg_internal_users.yml) and it works fine (I got a result with correct credentials, and Unauthorized when i use a wrong password).

But then I tried to import my generated keystore and truststore in an application using SearchGuard plugin in its transport client (java), and got the following result in the target elasticsearch node logs :

[2017-11-22T17:53:14,525][ERROR][c.f.s.s.t.SearchGuardSSLNettyTransport] [ppjbies1] SSL Problem Received fatal alert: certificate_unknown

javax.net.ssl.SSLException: Received fatal alert: certificate_unknown
   at sun.security.ssl.Alerts.getSSLException(Alerts.java:208) ~[?:?]
      at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1666) ~[?:?]
at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1634) ~[?:?]
at sun.security.ssl.SSLEngineImpl.recvAlert(SSLEngineImpl.java:1800) ~[?:?]
     at sun.security.ssl.SSLEngineImpl.readRecord(SSLEngineImpl.java:1083) ~[?:?]
    at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:907) ~[?:?]
  at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:781) ~[?:?]
at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624) ~[?:1.8.0_144]
    at io.netty.handler.ssl.SslHandler$SslEngineType$3.unwrap(SslHandler.java:254) ~[netty-handler-4.1.11.Final.jar:4.1.11.Final]
   at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1156) ~[netty-handler-4.1.11.Final.jar:4.1.11.Final]
  at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1078) ~[netty-handler-4.1.11.Final.jar:4.1.11.Final]
  at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:489) ~[netty-codec-4.1.11.Final.jar:4.1.11.Final]
       at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:428) ~[netty-codec-4.1.11.Final.jar:4.1.11.Final]
   at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:265) ~[netty-codec-4.1.11.Final.jar:4.1.11.Final]
  at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) [netty-transport-4.1.11.Final.jar:4.1.11.Final]
     at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) [netty-transport-4.1.11.Final.jar:4.1.11.Final]
     at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340) [netty-transport-4.1.11.Final.jar:4.1.11.Final]
       at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1334) [netty-transport-4.1.11.Final.jar:4.1.11.Final]
    at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) [netty-transport-4.1.11.Final.jar:4.1.11.Final]
     at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) [netty-transport-4.1.11.Final.jar:4.1.11.Final]
     at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:926) [netty-transport-4.1.11.Final.jar:4.1.11.Final]
     at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:134) [netty-transport-4.1.11.Final.jar:4.1.11.Final]
      at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:644) [netty-transport-4.1.11.Final.jar:4.1.11.Final]
  at io.netty.channel.nio.NioEventLoop.processSelectedKeysPlain(NioEventLoop.java:544) [netty-transport-4.1.11.Final.jar:4.1.11.Final]
    at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:498) [netty-transport-4.1.11.Final.jar:4.1.11.Final]
at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:458) [netty-transport-4.1.11.Final.jar:4.1.11.Final]
at io.netty.util.concurrent.SingleThreadEventExecutor$5.run(SingleThreadEventExecutor.java:858) [netty-common-4.1.11.Final.jar:4.1.11.Final]

This setup was working in my test setup, but here I can't get it to work.

I found no way of logging ssl infos. I added -Djavax.net.debug=all in every location possible (jvm.options and directly in elasticsearch script), but got no ssl debug data.
The only thing i get is searhguard debug info

[2017-11-22T17:52:35,887][INFO ][o.e.n.Node ] [ppjbies1] JVM arguments [-Xms2g, -Xmx2g, -Djavax.net.debug=all, -XX:+UseConcMarkSweepGC, -XX:CMSInitiatingOccupancyFraction=75, -XX:+UseCMSInitiatingOccupancyOnly, -XX:+AlwaysPreTouch, -Xss1m, -Djava.awt.headless=true, -Dfile.encoding=UTF-8, -Djna.nosys=true, -Djdk.io.permissionsUseCanonicalPath=true, -Dio.netty.noUnsafe=true, -Dio.netty.noKeySetOptimization=true, -Dio.netty.recycler.maxCapacityPerThread=0, -Dlog4j.shutdownHookEnabled=false, -Dlog4j2.disable.jmx=true, -Dlog4j.skipJansi=true, -XX:+HeapDumpOnOutOfMemoryError, -Djavax.net.debug=all, -Des.path.home=/opt/es-home]
[2017-11-22T17:52:36,679][INFO ][c.f.s.SearchGuardPlugin ] Clustername: pp-company-es-cluster
[2017-11-22T17:52:36,679][WARN ][c.f.s.SearchGuardPlugin ]
### LICENSE NOTICE Search Guard ###

If you use one or more of the following features in production
make sure you have a valid Search Guard license
(See https://floragunn.com/searchguard-validate-license)

* Kibana Multitenancy
* LDAP authentication/authorization
* Active Directory authentication/authorization
* REST Management API
* JSON Web Token (JWT) authentication/authorization
* Kerberos authentication/authorization
* Document- and Fieldlevel Security (DLS/FLS)
* Auditlogging

In case of any doubt mail to <sales@floragunn.com>
###################################

### LICENSE NOTICE Search Guard ###

If you use one or more of the following features in production
make sure you have a valid Search Guard license
(See https://floragunn.com/searchguard-validate-license)

* Kibana Multitenancy
* LDAP authentication/authorization
* Active Directory authentication/authorization
* REST Management API
* JSON Web Token (JWT) authentication/authorization
* Kerberos authentication/authorization
* Document- and Fieldlevel Security (DLS/FLS)
* Auditlogging

In case of any doubt mail to <sales@floragunn.com>
###################################
[2017-11-22T17:52:36,680][WARN ][c.f.s.SearchGuardPlugin ] Consider setting -Djdk.tls.rejectClientInitiatedRenegotiation=true to prevent DoS attacks through client side initiated TLS renegotiation.
Consider setting -Djdk.tls.rejectClientInitiatedRenegotiation=true to prevent DoS attacks through client side initiated TLS renegotiation.
[2017-11-22T17:52:36,711][INFO ][c.f.s.SearchGuardPlugin ] Node [ppjbies1] is a transportClient: false/tribeNode: false/tribeNodeClient: false
[2017-11-22T17:52:36,712][INFO ][c.f.s.SearchGuardPlugin ] FLS/DLS module not available
[2017-11-22T17:52:36,725][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] Open SSL not available (this is not an error, we simply fallback to built-in JDK SSL) because of java.lang.ClassNotFoundException: io.netty.internal.tcnative.SSL
[2017-11-22T17:52:36,725][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.version: 1.8.0_144
[2017-11-22T17:52:36,725][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.vendor: Oracle Corporation
[2017-11-22T17:52:36,725][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.vm.specification.version: 1.8
[2017-11-22T17:52:36,725][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.vm.specification.vendor: Oracle Corporation
[2017-11-22T17:52:36,725][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.vm.specification.name: Java Virtual Machine Specification
[2017-11-22T17:52:36,725][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.vm.name: Java HotSpot(TM) 64-Bit Server VM
[2017-11-22T17:52:36,726][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.vm.vendor: Oracle Corporation
[2017-11-22T17:52:36,726][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.specification.version: 1.8
[2017-11-22T17:52:36,726][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.specification.vendor: Oracle Corporation
[2017-11-22T17:52:36,726][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.specification.name: Java Platform API Specification
[2017-11-22T17:52:36,726][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] os.name: Linux
[2017-11-22T17:52:36,726][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] os.arch: amd64
[2017-11-22T17:52:36,726][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] os.version: 2.6.32-642.11.1.el6.x86_64
[2017-11-22T17:52:36,919][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] JVM supports the following 57 ciphers for https [TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV, TLS_DH_anon_WITH_AES_128_GCM_SHA256, TLS_DH_anon_WITH_AES_128_CBC_SHA256, TLS_ECDH_anon_WITH_AES_128_CBC_SHA, TLS_DH_anon_WITH_AES_128_CBC_SHA, TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA, SSL_DH_anon_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_DH_anon_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA, SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA, TLS_RSA_WITH_NULL_SHA256, TLS_ECDHE_ECDSA_WITH_NULL_SHA, TLS_ECDHE_RSA_WITH_NULL_SHA, SSL_RSA_WITH_NULL_SHA, TLS_ECDH_ECDSA_WITH_NULL_SHA, TLS_ECDH_RSA_WITH_NULL_SHA, TLS_ECDH_anon_WITH_NULL_SHA, SSL_RSA_WITH_NULL_MD5, TLS_KRB5_WITH_3DES_EDE_CBC_SHA, TLS_KRB5_WITH_3DES_EDE_CBC_MD5, TLS_KRB5_WITH_DES_CBC_SHA, TLS_KRB5_WITH_DES_CBC_MD5, TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA, TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5]
[2017-11-22T17:52:36,931][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] JVM supports the following 57 ciphers for transport [TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV, TLS_DH_anon_WITH_AES_128_GCM_SHA256, TLS_DH_anon_WITH_AES_128_CBC_SHA256, TLS_ECDH_anon_WITH_AES_128_CBC_SHA, TLS_DH_anon_WITH_AES_128_CBC_SHA, TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA, SSL_DH_anon_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_DH_anon_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA, SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA, TLS_RSA_WITH_NULL_SHA256, TLS_ECDHE_ECDSA_WITH_NULL_SHA, TLS_ECDHE_RSA_WITH_NULL_SHA, SSL_RSA_WITH_NULL_SHA, TLS_ECDH_ECDSA_WITH_NULL_SHA, TLS_ECDH_RSA_WITH_NULL_SHA, TLS_ECDH_anon_WITH_NULL_SHA, SSL_RSA_WITH_NULL_MD5, TLS_KRB5_WITH_3DES_EDE_CBC_SHA, TLS_KRB5_WITH_3DES_EDE_CBC_MD5, TLS_KRB5_WITH_DES_CBC_SHA, TLS_KRB5_WITH_DES_CBC_MD5, TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA, TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5]
[2017-11-22T17:52:36,932][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] Config directory is /opt/es-data/config/, from there the key- and truststore files are resolved relatively
[2017-11-22T17:52:36,932][DEBUG][c.f.s.s.DefaultSearchGuardKeyStore] Value for searchguard.ssl.transport.keystore_filepath is /opt/es-data/config/ppjbies1-keystore.jks
[2017-11-22T17:52:36,932][DEBUG][c.f.s.s.DefaultSearchGuardKeyStore] Resolved /opt/es-data/config/ppjbies1-keystore.jks to /opt/es-data/config/ppjbies1-keystore.jks against /opt/es-data/config
[2017-11-22T17:52:36,933][DEBUG][c.f.s.s.DefaultSearchGuardKeyStore] Value for searchguard.ssl.transport.truststore_filepath is /opt/es-data/config/truststore.jks
[2017-11-22T17:52:36,933][DEBUG][c.f.s.s.DefaultSearchGuardKeyStore] Resolved /opt/es-data/config/truststore.jks to /opt/es-data/config/truststore.jks against /opt/es-data/config
[2017-11-22T17:52:36,937][DEBUG][c.f.s.s.u.SSLCertificateHelper] Keystore has 1 entries/aliases
[2017-11-22T17:52:36,937][DEBUG][c.f.s.s.u.SSLCertificateHelper] Alias ppjbies1: is a certificate entry?false/is a key entry?true
[2017-11-22T17:52:36,937][DEBUG][c.f.s.s.u.SSLCertificateHelper] Alias ppjbies1: chain len 3
[2017-11-22T17:52:36,938][DEBUG][c.f.s.s.u.SSLCertificateHelper] cert CN=ppjbies1.services.company.com, OU=APO, O=company, L=France, C=FR of type -1 -> false
[2017-11-22T17:52:36,938][DEBUG][c.f.s.s.u.SSLCertificateHelper] cert CN=company Signing CA, OU=company Signing CA, O=company, DC=company, DC=com of type 0 -> false
[2017-11-22T17:52:36,938][DEBUG][c.f.s.s.u.SSLCertificateHelper] cert CN=company Root CA, OU=company Root CA, O=company, DC=company, DC=com of type 2147483647 -> true
[2017-11-22T17:52:36,938][DEBUG][c.f.s.s.u.SSLCertificateHelper] Alias ppjbies1: single cert CN=ppjbies1.services.company.com, OU=APO, O=company, L=France, C=FR of type -1 -> false
[2017-11-22T17:52:36,939][INFO ][c.f.s.s.u.SSLCertificateHelper] No alias given, use the first one: ppjbies1
[2017-11-22T17:52:36,939][WARN ][c.f.s.s.u.SSLCertificateHelper] Certificate chain for alias ppjbies1 contains a root certificate
[2017-11-22T17:52:36,939][DEBUG][c.f.s.s.u.SSLCertificateHelper] Keystore has 1 entries/aliases
[2017-11-22T17:52:36,939][DEBUG][c.f.s.s.u.SSLCertificateHelper] Alias ppjbies1: is a certificate entry?false/is a key entry?true
[2017-11-22T17:52:36,939][DEBUG][c.f.s.s.u.SSLCertificateHelper] Alias ppjbies1: chain len 3
[2017-11-22T17:52:36,939][DEBUG][c.f.s.s.u.SSLCertificateHelper] cert CN=ppjbies1.services.company.com, OU=APO, O=company, L=France, C=FR of type -1 -> false
[2017-11-22T17:52:36,939][DEBUG][c.f.s.s.u.SSLCertificateHelper] cert CN=company Signing CA, OU=company Signing CA, O=company, DC=company, DC=com of type 0 -> false
[2017-11-22T17:52:36,939][DEBUG][c.f.s.s.u.SSLCertificateHelper] cert CN=company Root CA, OU=company Root CA, O=company, DC=company, DC=com of type 2147483647 -> true
[2017-11-22T17:52:36,940][DEBUG][c.f.s.s.u.SSLCertificateHelper] Alias ppjbies1: single cert CN=ppjbies1.services.company.com, OU=APO, O=company, L=France, C=FR of type -1 -> false
[2017-11-22T17:52:36,941][DEBUG][c.f.s.s.u.SSLCertificateHelper] Keystore has 1 entries/aliases
[2017-11-22T17:52:36,941][DEBUG][c.f.s.s.u.SSLCertificateHelper] Alias root-ca-chain: is a certificate entry?true/is a key entry?false
[2017-11-22T17:52:36,941][DEBUG][c.f.s.s.u.SSLCertificateHelper] Alias root-ca-chain: single cert CN=company Root CA, OU=company Root CA, O=company, DC=company, DC=com of type 2147483647 -> true
[2017-11-22T17:52:36,941][DEBUG][c.f.s.s.u.SSLCertificateHelper] No alias given, will trust all of the certificates in the store
[2017-11-22T17:52:36,973][DEBUG][c.f.s.s.DefaultSearchGuardKeyStore] Value for searchguard.ssl.http.keystore_filepath is /opt/es-data/config/ppjbies1-keystore.jks
[2017-11-22T17:52:36,974][DEBUG][c.f.s.s.DefaultSearchGuardKeyStore] Resolved /opt/es-data/config/ppjbies1-keystore.jks to /opt/es-data/config/ppjbies1-keystore.jks against /opt/es-data/config
[2017-11-22T17:52:36,974][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] HTTPS client auth mode OPTIONAL
[2017-11-22T17:52:36,974][DEBUG][c.f.s.s.u.SSLCertificateHelper] Keystore has 1 entries/aliases
[2017-11-22T17:52:36,974][DEBUG][c.f.s.s.u.SSLCertificateHelper] Alias ppjbies1: is a certificate entry?false/is a key entry?true
[2017-11-22T17:52:36,975][DEBUG][c.f.s.s.u.SSLCertificateHelper] Alias ppjbies1: chain len 3
[2017-11-22T17:52:36,975][DEBUG][c.f.s.s.u.SSLCertificateHelper] cert CN=ppjbies1.services.company.com, OU=APO, O=company, L=France, C=FR of type -1 -> false
[2017-11-22T17:52:36,975][DEBUG][c.f.s.s.u.SSLCertificateHelper] cert CN=company Signing CA, OU=company Signing CA, O=company, DC=company, DC=com of type 0 -> false
[2017-11-22T17:52:36,975][DEBUG][c.f.s.s.u.SSLCertificateHelper] cert CN=company Root CA, OU=company Root CA, O=company, DC=company, DC=com of type 2147483647 -> true
[2017-11-22T17:52:36,975][DEBUG][c.f.s.s.u.SSLCertificateHelper] Alias ppjbies1: single cert CN=ppjbies1.services.company.com, OU=APO, O=company, L=France, C=FR of type -1 -> false
[2017-11-22T17:52:36,975][INFO ][c.f.s.s.u.SSLCertificateHelper] No alias given, use the first one: ppjbies1
[2017-11-22T17:52:36,975][WARN ][c.f.s.s.u.SSLCertificateHelper] Certificate chain for alias ppjbies1 contains a root certificate
[2017-11-22T17:52:36,975][DEBUG][c.f.s.s.u.SSLCertificateHelper] Keystore has 1 entries/aliases
[2017-11-22T17:52:36,975][DEBUG][c.f.s.s.u.SSLCertificateHelper] Alias ppjbies1: is a certificate entry?false/is a key entry?true
[2017-11-22T17:52:36,976][DEBUG][c.f.s.s.u.SSLCertificateHelper] Alias ppjbies1: chain len 3
[2017-11-22T17:52:36,976][DEBUG][c.f.s.s.u.SSLCertificateHelper] cert CN=ppjbies1.services.company.com, OU=APO, O=company, L=France, C=FR of type -1 -> false
[2017-11-22T17:52:36,976][DEBUG][c.f.s.s.u.SSLCertificateHelper] cert CN=company Signing CA, OU=company Signing CA, O=company, DC=company, DC=com of type 0 -> false
[2017-11-22T17:52:36,976][DEBUG][c.f.s.s.u.SSLCertificateHelper] cert CN=company Root CA, OU=company Root CA, O=company, DC=company, DC=com of type 2147483647 -> true
[2017-11-22T17:52:36,976][DEBUG][c.f.s.s.u.SSLCertificateHelper] Alias ppjbies1: single cert CN=ppjbies1.services.company.com, OU=APO, O=company, L=France, C=FR of type -1 -> false
[2017-11-22T17:52:36,976][DEBUG][c.f.s.s.DefaultSearchGuardKeyStore] Value for searchguard.ssl.http.truststore_filepath is /opt/es-data/config/truststore.jks
[2017-11-22T17:52:36,977][DEBUG][c.f.s.s.DefaultSearchGuardKeyStore] Resolved /opt/es-data/config/truststore.jks to /opt/es-data/config/truststore.jks against /opt/es-data/config
[2017-11-22T17:52:36,977][DEBUG][c.f.s.s.u.SSLCertificateHelper] Keystore has 1 entries/aliases
[2017-11-22T17:52:36,977][DEBUG][c.f.s.s.u.SSLCertificateHelper] Alias root-ca-chain: is a certificate entry?true/is a key entry?false
[2017-11-22T17:52:36,978][DEBUG][c.f.s.s.u.SSLCertificateHelper] Alias root-ca-chain: single cert CN=company Root CA, OU=company Root CA, O=company, DC=company, DC=com of type 2147483647 -> true
[2017-11-22T17:52:36,978][DEBUG][c.f.s.s.u.SSLCertificateHelper] No alias given, will trust all of the certificates in the store
[2017-11-22T17:52:36,983][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] AES-256 not supported, max key length for AES is 128 bit.. That is not an issue, it just limits possible encryption strength. To enable AES 256 install 'Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files'
[2017-11-22T17:52:36,983][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] sslTransportClientProvider:JDK with ciphers [TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256]
[2017-11-22T17:52:36,983][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] sslTransportServerProvider:JDK with ciphers [TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256]
[2017-11-22T17:52:36,984][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] sslHTTPProvider:JDK with ciphers [TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256]
[2017-11-22T17:52:36,984][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] sslTransport protocols [TLSv1.2, TLSv1.1]
[2017-11-22T17:52:36,984][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] sslHTTP protocols [TLSv1.2, TLSv1.1]
[2017-11-22T17:52:36,987][INFO ][o.e.p.PluginsService ] [ppjbies1] loaded module [aggs-matrix-stats]
[2017-11-22T17:52:36,987][INFO ][o.e.p.PluginsService ] [ppjbies1] loaded module [ingest-common]
[2017-11-22T17:52:36,987][INFO ][o.e.p.PluginsService ] [ppjbies1] loaded module [lang-expression]
[2017-11-22T17:52:36,987][INFO ][o.e.p.PluginsService ] [ppjbies1] loaded module [lang-groovy]
[2017-11-22T17:52:36,987][INFO ][o.e.p.PluginsService ] [ppjbies1] loaded module [lang-mustache]
[2017-11-22T17:52:36,987][INFO ][o.e.p.PluginsService ] [ppjbies1] loaded module [lang-painless]
[2017-11-22T17:52:36,987][INFO ][o.e.p.PluginsService ] [ppjbies1] loaded module [parent-join]
[2017-11-22T17:52:36,987][INFO ][o.e.p.PluginsService ] [ppjbies1] loaded module [percolator]
[2017-11-22T17:52:36,987][INFO ][o.e.p.PluginsService ] [ppjbies1] loaded module [reindex]
[2017-11-22T17:52:36,987][INFO ][o.e.p.PluginsService ] [ppjbies1] loaded module [transport-netty3]
[2017-11-22T17:52:36,988][INFO ][o.e.p.PluginsService ] [ppjbies1] loaded module [transport-netty4]
[2017-11-22T17:52:36,988][INFO ][o.e.p.PluginsService ] [ppjbies1] loaded plugin [search-guard-5]
[2017-11-22T17:52:38,566][DEBUG][o.e.a.ActionModule ] Using REST wrapper from plugin com.floragunn.searchguard.SearchGuardPlugin
[2017-11-22T17:52:38,617][INFO ][c.f.s.SearchGuardPlugin ] FLS/DLS valve not bound (noop) due to java.lang.ClassNotFoundException: com.floragunn.searchguard.configuration.DlsFlsValveImpl
[2017-11-22T17:52:38,618][INFO ][c.f.s.SearchGuardPlugin ] Auditlog not available due to java.lang.ClassNotFoundException: com.floragunn.searchguard.auditlog.impl.AuditLogImpl
[2017-11-22T17:52:38,619][DEBUG][c.f.s.SearchGuardPlugin ] Using com.floragunn.searchguard.transport.DefaultInterClusterRequestEvaluator as intercluster request evaluator class
[2017-11-22T17:52:38,620][INFO ][c.f.s.SearchGuardPlugin ] Privileges interceptor not bound (noop) due to java.lang.ClassNotFoundException: com.floragunn.searchguard.configuration.PrivilegesInterceptorImpl
[2017-11-22T17:52:38,629][DEBUG][c.f.s.c.AdminDNs ] CN=sgadmin,OU=APO,O=company,L=France,C=FR is registered as an admin dn
[2017-11-22T17:52:38,631][DEBUG][c.f.s.c.AdminDNs ] Loaded 1 admin DN's [CN=sgadmin,OU=APO,O=company,L=France,C=FR]
[2017-11-22T17:52:38,632][DEBUG][c.f.s.c.AdminDNs ] Loaded 0 impersonation DN's {}
[2017-11-22T17:52:38,645][DEBUG][c.f.s.c.ConfigurationLoader] Index is: searchguard
[2017-11-22T17:52:38,646][DEBUG][c.f.s.c.IndexBaseConfigurationRepository] Subscribe on configuration changes by type config with listener com.floragunn.searchguard.http.XFFResolver@32120956
[2017-11-22T17:52:38,674][DEBUG][c.f.s.c.IndexBaseConfigurationRepository] Subscribe on configuration changes by type config with listener com.floragunn.searchguard.auth.BackendRegistry@67770b37
[2017-11-22T17:52:38,717][DEBUG][c.f.s.h.SearchGuardHttpServerTransport] [ppjbies1] using max_chunk_size[8kb], max_header_size[8kb], max_initial_line_length[4kb], max_content_length[100mb], receive_predictor[64kb->64kb], pipelining[true], pipelining_max_events[10000]
[2017-11-22T17:52:38,739][INFO ][o.e.d.DiscoveryModule ] [ppjbies1] using discovery type [zen]
[2017-11-22T17:52:39,342][INFO ][o.e.n.Node ] [ppjbies1] initialized
[2017-11-22T17:52:39,343][INFO ][o.e.n.Node ] [ppjbies1] starting ...
[2017-11-22T17:52:39,413][DEBUG][c.f.s.s.t.SearchGuardSSLNettyTransport] [ppjbies1] using profile[default], worker_count[8], port[9300-9400], bind_host[null], publish_host[null], compress[false], connect_timeout[30s], connections_per_node[2/3/6/1/1], receive_predictor[64kb->64kb]
[2017-11-22T17:52:39,419][DEBUG][c.f.s.s.t.SearchGuardSSLNettyTransport] [ppjbies1] binding server bootstrap to: [0.0.0.0]
[2017-11-22T17:52:39,498][DEBUG][c.f.s.s.t.SearchGuardSSLNettyTransport] [ppjbies1] Bound profile [default] to address {0.0.0.0:9300}
[2017-11-22T17:52:39,500][INFO ][o.e.t.TransportService ] [ppjbies1] publish_address {172.21.22.38:9300}, bound_addresses {0.0.0.0:9300}
[2017-11-22T17:52:39,510][INFO ][o.e.b.BootstrapChecks ] [ppjbies1] bound or publishing to a non-loopback or non-link-local address, enforcing bootstrap checks
[2017-11-22T17:52:39,515][INFO ][c.f.s.c.IndexBaseConfigurationRepository] Check if searchguard index exists ...
[2017-11-22T17:52:39,522][DEBUG][o.e.a.a.i.e.i.TransportIndicesExistsAction] [ppjbies1] no known master node, scheduling a retry
[2017-11-22T17:52:59,361][DEBUG][c.f.s.s.t.SearchGuardSSLNettyTransport] [ppjbies1] connected to node [{ppjessbi}{FVHpTmZURWGQs1yxLhu0kw}{cFtADFUYSEWk_mY6nrTCQQ}{172.21.22.37}{172.21.22.37:9300}]
[2017-11-22T17:52:59,617][DEBUG][c.f.s.s.t.SearchGuardSSLNettyTransport] [ppjbies1] connected to node [{ppjbies2}{jhcY9XfoTIikmatGsYGpZQ}{w8W6-t8JSRuyZFf00gvXLQ}{172.21.22.39}{172.21.22.39:9300}]
[2017-11-22T17:52:59,620][INFO ][o.e.c.s.ClusterSettings ] [ppjbies1] updating [cluster.routing.allocation.enable] from [ALL] to [all]
[2017-11-22T17:52:59,926][DEBUG][c.f.s.h.SearchGuardHttpServerTransport] [ppjbies1] Bound http to address {0.0.0.0:9200}
[2017-11-22T17:52:59,928][INFO ][c.f.s.h.SearchGuardHttpServerTransport] [ppjbies1] publish_address {172.21.22.38:9200}, bound_addresses {0.0.0.0:9200}
[2017-11-22T17:52:59,929][INFO ][o.e.n.Node ] [ppjbies1] started
[2017-11-22T17:53:00,698][DEBUG][c.f.s.c.IndexBaseConfigurationRepository] Node started, try to initialize it. Wait for at least yellow cluster state....
[2017-11-22T17:53:00,762][DEBUG][c.f.s.c.IndexBaseConfigurationRepository] Try to load config ...
[2017-11-22T17:53:02,080][DEBUG][c.f.s.c.ConfigurationLoader] Received config for config (of [config, roles, rolesmapping, internalusers, actiongroups]) with current latch value=4
[2017-11-22T17:53:02,087][DEBUG][c.f.s.c.ConfigurationLoader] Received config for roles (of [config, roles, rolesmapping, internalusers, actiongroups]) with current latch value=3
[2017-11-22T17:53:02,091][DEBUG][c.f.s.c.ConfigurationLoader] Received config for rolesmapping (of [config, roles, rolesmapping, internalusers, actiongroups]) with current latch value=2
[2017-11-22T17:53:02,093][DEBUG][c.f.s.c.ConfigurationLoader] Received config for internalusers (of [config, roles, rolesmapping, internalusers, actiongroups]) with current latch value=1
[2017-11-22T17:53:02,096][DEBUG][c.f.s.c.ConfigurationLoader] Received config for actiongroups (of [config, roles, rolesmapping, internalusers, actiongroups]) with current latch value=0
[2017-11-22T17:53:02,096][DEBUG][c.f.s.c.IndexBaseConfigurationRepository] Retrieved [rolesmapping, config, internalusers, actiongroups, roles] configs
[2017-11-22T17:53:03,177][DEBUG][c.f.s.c.ConfigurationLoader] Received config for config (of [config, roles, rolesmapping, internalusers, actiongroups]) with current latch value=4
[2017-11-22T17:53:03,177][DEBUG][c.f.s.c.ConfigurationLoader] Received config for roles (of [config, roles, rolesmapping, internalusers, actiongroups]) with current latch value=3
[2017-11-22T17:53:03,178][DEBUG][c.f.s.c.ConfigurationLoader] Received config for rolesmapping (of [config, roles, rolesmapping, internalusers, actiongroups]) with current latch value=2
[2017-11-22T17:53:03,178][DEBUG][c.f.s.c.ConfigurationLoader] Received config for internalusers (of [config, roles, rolesmapping, internalusers, actiongroups]) with current latch value=1
[2017-11-22T17:53:03,181][DEBUG][c.f.s.c.IndexBaseConfigurationRepository] Notify com.floragunn.searchguard.http.XFFResolver@32120956 listener about change configuration with type config
[2017-11-22T17:53:03,181][DEBUG][c.f.s.c.IndexBaseConfigurationRepository] Notify com.floragunn.searchguard.auth.BackendRegistry@67770b37 listener about change configuration with type config
[2017-11-22T17:53:03,184][INFO ][c.f.s.c.IndexBaseConfigurationRepository] Node 'ppjbies1' initialized
[2017-11-22T17:53:03,184][DEBUG][c.f.s.c.ConfigurationLoader] Received config for actiongroups (of [config, roles, rolesmapping, internalusers, actiongroups]) with current latch value=0
[2017-11-22T17:53:04,225][ERROR][c.f.s.s.t.SearchGuardSSLNettyTransport] [ppjbies1] SSL Problem Received fatal alert: certificate_unknown

And i configured each node this way, configured users, roles, actions and so on, then installed them using sgadmin.sh, whcih finished with success message.

######## Start Search Guard Configuration ########
searchguard.ssl.transport.enabled: true
searchguard.ssl.transport.keystore_filepath: /opt/es-data/config/ppjessbi-keystore.jks
searchguard.ssl.transport.truststore_filepath: /opt/es-data/config/truststore.jks
searchguard.ssl.transport.enforce_hostname_verification: false
searchguard.ssl.http.enabled: true
searchguard.ssl.http.keystore_filepath: /opt/es-data/config/ppjessbi-keystore.jks
searchguard.ssl.http.truststore_filepath: /opt/es-data/config/truststore.jks
# The setting below informs SearchGuard of all client certificates allowed to administrate SearhGuard.
searchguard.authcz.admin_dn:
  - CN=sgadmin,OU=APO,O=company,L=France,C=FR

######## End Search Guard Configuration ########

I would really appreciate if someone could help.

--
You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.
To post to this group, send email to search-guard@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/122c40c4-8682-4dde-8a38-6d16e7a653f0%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Hi SearchGuard,

I explained wrong, I got it working on two nodes during my tests. These two nodes were local on my desktop.

Now I’m deploying on a real environment, each node on its own server, and it dos not work on any node.

About the certifcates, I generated them using the scripts in search_guard_ssl. I just modified them to change the root ca passphrase and add a customized ip for each node, but for client nodes, I changed nothing except the root ca passphrase.

Here is the script generating all certificates :

#!/bin/bash

OPENSSL_VER="$(openssl version)"

if [[ $OPENSSL_VER == “0.9” ]]; then

    echo "Your OpenSSL version is too old: $OPENSSL_VER"

    echo "Please install version 1.0.1 or later"

    exit -1

else

echo "Your OpenSSL version is: $OPENSSL_VER"

fi

set -e

./clean.sh

Root CA

./gen_root_ca.sh capassphrase changeit

Nodes

./gen_node_cert.sh ppjessbi changeit capassphrase 172.21.22.37

./gen_node_cert.sh ppjbies1 changeit capassphrase 172.21.22.38

./gen_node_cert.sh ppjbies2 changeit capassphrase 172.21.22.39

./gen_node_cert.sh ppjbies3 changeit capassphrase 172.21.22.40

Applications clients

···

This is the certificate that is not working

./gen_client_node_cert.sh jira changeit capassphrase

Admin client

./gen_client_node_cert.sh sgadmin changeit capassphrase

rm -f ./tmp

``

Here is the sgadmin command :

./sgadmin.sh -cd /opt/searchguard/config -ts /opt/es-data/config/truststore.jks -ks /opt/es-data/config/sgadmin-keystore.jks -tspass changeit -kspass changeit -cn pp-es-cluster -nhnv

``

Make sure you execute ./gen_root_ca.sh only once. Certificates generatet not with the exactly same root CA are not trusted each other.
I suggest you delete every certificate/key/truststore etc and recreate all certs (but only once).

The scripts are known to work so i can only imagine you use certs signed by different root ca's because you run ./gen_root_ca.sh more than once.
Or use the TLS cert generator https://floragunn.com/tls-certificate-generator/

Everything else seems ok

···

Am 24.11.2017 um 13:52 schrieb Frédéric Esnault <frederic.esnault@ovyka.com>:

Hi SearchGuard,

I explained wrong, I got it working on two nodes during my tests. These two nodes were local on my desktop.
Now I'm deploying on a real environment, each node on its own server.

About the certifcates, I generated them using the scripts in search_guard_ssl. I just modified them to change the root ca passphrase and add a customized ip for each node, but for client nodes, I changed nothing except the root ca passphrase.

Here is the script generating all certificates :

#!/bin/bash
OPENSSL_VER="$(openssl version)"

if [[ $OPENSSL_VER == *"0.9"* ]]; then
        echo "Your OpenSSL version is too old: $OPENSSL_VER"
        echo "Please install version 1.0.1 or later"
        exit -1
else
    echo "Your OpenSSL version is: $OPENSSL_VER"
fi

set -e
./clean.sh

# Root CA
./gen_root_ca.sh capassphrase changeit

# Nodes
./gen_node_cert.sh ppjessbi changeit capassphrase 172.21.22.37
./gen_node_cert.sh ppjbies1 changeit capassphrase 172.21.22.38
./gen_node_cert.sh ppjbies2 changeit capassphrase 172.21.22.39
./gen_node_cert.sh ppjbies3 changeit capassphrase 172.21.22.40

# Applications clients
#
# This is the certificate that is not working
#
./gen_client_node_cert.sh jira changeit capassphrase

# Admin client
./gen_client_node_cert.sh sgadmin changeit capassphrase

rm -f ./*tmp*

On Friday, November 24, 2017 at 1:11:25 PM UTC+1, Search Guard wrote:
The output of -Djavax.net.debug=all goes to stdout (and so probably not into the logfile dependet from the way you installes ES. Maybe look in the systemd journal or start in in foreground mode).

"certificate_unknown" just means that the certificates in your keystore are not trusted by the root ca in your truststore. Maybe you messed up your certs somehow? Did you generate them from the same root ca?
What sounds strange to me is that you get it working with 2 nodes out of 3. Can you check whats different between the 2 working nodes and the 3rd node which does not work?

Pls post also the sgadmin command you use. Maybe the certs for sgadmin are not matching those which are deployed in the nodes?

> Am 24.11.2017 um 08:38 schrieb Frédéric Esnault <frederic...@ovyka.com>:
>
> Does any one have any idea ?
> @SearchGuard, you closed the related issue in github, but could you try to help ? I have no clue on what the problem could be, and can't manage to activate javax.net.debug.
>
>
>
> On Wednesday, November 22, 2017 at 7:18:36 PM UTC+1, Frédéric Esnault wrote:
> Hi everyone,
>
> I'm trying to deploy searchguard in a 3 nodes cluster.
> I already did it on a 2 nodes (both local) with success.
>
> I generated nodes certificates and client nodes certificates for applications connected to elasticsearch.
> All nodes seem to start correctly and discover each other.
>
> I tried to call elasticsearch using curl and a login/password user (defined in sg_internal_users.yml) and it works fine (I got a result with correct credentials, and Unauthorized when i use a wrong password).
>
> But then I tried to import my generated keystore and truststore in an application using SearchGuard plugin in its transport client (java), and got the following result in the target elasticsearch node logs :
>
> [2017-11-22T17:53:14,525][ERROR][c.f.s.s.t.SearchGuardSSLNettyTransport] [ppjbies1] SSL Problem Received fatal alert: certificate_unknown
>
> javax.net.ssl.SSLException: Received fatal alert: certificate_unknown
> at sun.security.ssl.Alerts.getSSLException(Alerts.java:208) ~[?:?]
> at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1666) ~[?:?]
> at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1634) ~[?:?]
> at sun.security.ssl.SSLEngineImpl.recvAlert(SSLEngineImpl.java:1800) ~[?:?]
> at sun.security.ssl.SSLEngineImpl.readRecord(SSLEngineImpl.java:1083) ~[?:?]
> at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:907) ~[?:?]
> at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:781) ~[?:?]
> at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624) ~[?:1.8.0_144]
> at io.netty.handler.ssl.SslHandler$SslEngineType$3.unwrap(SslHandler.java:254) ~[netty-handler-4.1.11.Final.jar:4.1.11.Final]
> at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1156) ~[netty-handler-4.1.11.Final.jar:4.1.11.Final]
> at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1078) ~[netty-handler-4.1.11.Final.jar:4.1.11.Final]
> at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:489) ~[netty-codec-4.1.11.Final.jar:4.1.11.Final]
> at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:428) ~[netty-codec-4.1.11.Final.jar:4.1.11.Final]
> at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:265) ~[netty-codec-4.1.11.Final.jar:4.1.11.Final]
> at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) [netty-transport-4.1.11.Final.jar:4.1.11.Final]
> at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) [netty-transport-4.1.11.Final.jar:4.1.11.Final]
> at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340) [netty-transport-4.1.11.Final.jar:4.1.11.Final]
> at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1334) [netty-transport-4.1.11.Final.jar:4.1.11.Final]
> at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) [netty-transport-4.1.11.Final.jar:4.1.11.Final]
> at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) [netty-transport-4.1.11.Final.jar:4.1.11.Final]
> at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:926) [netty-transport-4.1.11.Final.jar:4.1.11.Final]
> at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:134) [netty-transport-4.1.11.Final.jar:4.1.11.Final]
> at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:644) [netty-transport-4.1.11.Final.jar:4.1.11.Final]
> at io.netty.channel.nio.NioEventLoop.processSelectedKeysPlain(NioEventLoop.java:544) [netty-transport-4.1.11.Final.jar:4.1.11.Final]
> at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:498) [netty-transport-4.1.11.Final.jar:4.1.11.Final]
> at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:458) [netty-transport-4.1.11.Final.jar:4.1.11.Final]
> at io.netty.util.concurrent.SingleThreadEventExecutor$5.run(SingleThreadEventExecutor.java:858) [netty-common-4.1.11.Final.jar:4.1.11.Final]
>
>
> This setup was working in my test setup, but here I can't get it to work.
>
> I found no way of logging ssl infos. I added -Djavax.net.debug=all in every location possible (jvm.options and directly in elasticsearch script), but got no ssl debug data.
> The only thing i get is searhguard debug info
>
> [2017-11-22T17:52:35,887][INFO ][o.e.n.Node ] [ppjbies1] JVM arguments [-Xms2g, -Xmx2g, -Djavax.net.debug=all, -XX:+UseConcMarkSweepGC, -XX:CMSInitiatingOccupancyFraction=75, -XX:+UseCMSInitiatingOccupancyOnly, -XX:+AlwaysPreTouch, -Xss1m, -Djava.awt.headless=true, -Dfile.encoding=UTF-8, -Djna.nosys=true, -Djdk.io.permissionsUseCanonicalPath=true, -Dio.netty.noUnsafe=true, -Dio.netty.noKeySetOptimization=true, -Dio.netty.recycler.maxCapacityPerThread=0, -Dlog4j.shutdownHookEnabled=false, -Dlog4j2.disable.jmx=true, -Dlog4j.skipJansi=true, -XX:+HeapDumpOnOutOfMemoryError, -Djavax.net.debug=all, -Des.path.home=/opt/es-home]
> [2017-11-22T17:52:36,679][INFO ][c.f.s.SearchGuardPlugin ] Clustername: pp-company-es-cluster
> [2017-11-22T17:52:36,679][WARN ][c.f.s.SearchGuardPlugin ]
> ### LICENSE NOTICE Search Guard ###
>
> If you use one or more of the following features in production
> make sure you have a valid Search Guard license
> (See https://floragunn.com/searchguard-validate-license)
>
> * Kibana Multitenancy
> * LDAP authentication/authorization
> * Active Directory authentication/authorization
> * REST Management API
> * JSON Web Token (JWT) authentication/authorization
> * Kerberos authentication/authorization
> * Document- and Fieldlevel Security (DLS/FLS)
> * Auditlogging
>
> In case of any doubt mail to <sa...@floragunn.com>
> ###################################
>
> ### LICENSE NOTICE Search Guard ###
>
> If you use one or more of the following features in production
> make sure you have a valid Search Guard license
> (See https://floragunn.com/searchguard-validate-license)
>
> * Kibana Multitenancy
> * LDAP authentication/authorization
> * Active Directory authentication/authorization
> * REST Management API
> * JSON Web Token (JWT) authentication/authorization
> * Kerberos authentication/authorization
> * Document- and Fieldlevel Security (DLS/FLS)
> * Auditlogging
>
> In case of any doubt mail to <sa...@floragunn.com>
> ###################################
> [2017-11-22T17:52:36,680][WARN ][c.f.s.SearchGuardPlugin ] Consider setting -Djdk.tls.rejectClientInitiatedRenegotiation=true to prevent DoS attacks through client side initiated TLS renegotiation.
> Consider setting -Djdk.tls.rejectClientInitiatedRenegotiation=true to prevent DoS attacks through client side initiated TLS renegotiation.
> [2017-11-22T17:52:36,711][INFO ][c.f.s.SearchGuardPlugin ] Node [ppjbies1] is a transportClient: false/tribeNode: false/tribeNodeClient: false
> [2017-11-22T17:52:36,712][INFO ][c.f.s.SearchGuardPlugin ] FLS/DLS module not available
> [2017-11-22T17:52:36,725][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] Open SSL not available (this is not an error, we simply fallback to built-in JDK SSL) because of java.lang.ClassNotFoundException: io.netty.internal.tcnative.SSL
> [2017-11-22T17:52:36,725][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.version: 1.8.0_144
> [2017-11-22T17:52:36,725][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.vendor: Oracle Corporation
> [2017-11-22T17:52:36,725][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.vm.specification.version: 1.8
> [2017-11-22T17:52:36,725][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.vm.specification.vendor: Oracle Corporation
> [2017-11-22T17:52:36,725][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.vm.specification.name: Java Virtual Machine Specification
> [2017-11-22T17:52:36,725][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.vm.name: Java HotSpot(TM) 64-Bit Server VM
> [2017-11-22T17:52:36,726][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.vm.vendor: Oracle Corporation
> [2017-11-22T17:52:36,726][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.specification.version: 1.8
> [2017-11-22T17:52:36,726][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.specification.vendor: Oracle Corporation
> [2017-11-22T17:52:36,726][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] java.specification.name: Java Platform API Specification
> [2017-11-22T17:52:36,726][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] os.name: Linux
> [2017-11-22T17:52:36,726][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] os.arch: amd64
> [2017-11-22T17:52:36,726][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] os.version: 2.6.32-642.11.1.el6.x86_64
> [2017-11-22T17:52:36,919][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] JVM supports the following 57 ciphers for https [TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV, TLS_DH_anon_WITH_AES_128_GCM_SHA256, TLS_DH_anon_WITH_AES_128_CBC_SHA256, TLS_ECDH_anon_WITH_AES_128_CBC_SHA, TLS_DH_anon_WITH_AES_128_CBC_SHA, TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA, SSL_DH_anon_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_DH_anon_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA, SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA, TLS_RSA_WITH_NULL_SHA256, TLS_ECDHE_ECDSA_WITH_NULL_SHA, TLS_ECDHE_RSA_WITH_NULL_SHA, SSL_RSA_WITH_NULL_SHA, TLS_ECDH_ECDSA_WITH_NULL_SHA, TLS_ECDH_RSA_WITH_NULL_SHA, TLS_ECDH_anon_WITH_NULL_SHA, SSL_RSA_WITH_NULL_MD5, TLS_KRB5_WITH_3DES_EDE_CBC_SHA, TLS_KRB5_WITH_3DES_EDE_CBC_MD5, TLS_KRB5_WITH_DES_CBC_SHA, TLS_KRB5_WITH_DES_CBC_MD5, TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA, TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5]
> [2017-11-22T17:52:36,931][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] JVM supports the following 57 ciphers for transport [TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV, TLS_DH_anon_WITH_AES_128_GCM_SHA256, TLS_DH_anon_WITH_AES_128_CBC_SHA256, TLS_ECDH_anon_WITH_AES_128_CBC_SHA, TLS_DH_anon_WITH_AES_128_CBC_SHA, TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA, SSL_DH_anon_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_DH_anon_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA, SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA, TLS_RSA_WITH_NULL_SHA256, TLS_ECDHE_ECDSA_WITH_NULL_SHA, TLS_ECDHE_RSA_WITH_NULL_SHA, SSL_RSA_WITH_NULL_SHA, TLS_ECDH_ECDSA_WITH_NULL_SHA, TLS_ECDH_RSA_WITH_NULL_SHA, TLS_ECDH_anon_WITH_NULL_SHA, SSL_RSA_WITH_NULL_MD5, TLS_KRB5_WITH_3DES_EDE_CBC_SHA, TLS_KRB5_WITH_3DES_EDE_CBC_MD5, TLS_KRB5_WITH_DES_CBC_SHA, TLS_KRB5_WITH_DES_CBC_MD5, TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA, TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5]
> [2017-11-22T17:52:36,932][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] Config directory is /opt/es-data/config/, from there the key- and truststore files are resolved relatively
> [2017-11-22T17:52:36,932][DEBUG][c.f.s.s.DefaultSearchGuardKeyStore] Value for searchguard.ssl.transport.keystore_filepath is /opt/es-data/config/ppjbies1-keystore.jks
> [2017-11-22T17:52:36,932][DEBUG][c.f.s.s.DefaultSearchGuardKeyStore] Resolved /opt/es-data/config/ppjbies1-keystore.jks to /opt/es-data/config/ppjbies1-keystore.jks against /opt/es-data/config
> [2017-11-22T17:52:36,933][DEBUG][c.f.s.s.DefaultSearchGuardKeyStore] Value for searchguard.ssl.transport.truststore_filepath is /opt/es-data/config/truststore.jks
> [2017-11-22T17:52:36,933][DEBUG][c.f.s.s.DefaultSearchGuardKeyStore] Resolved /opt/es-data/config/truststore.jks to /opt/es-data/config/truststore.jks against /opt/es-data/config
> [2017-11-22T17:52:36,937][DEBUG][c.f.s.s.u.SSLCertificateHelper] Keystore has 1 entries/aliases
> [2017-11-22T17:52:36,937][DEBUG][c.f.s.s.u.SSLCertificateHelper] Alias ppjbies1: is a certificate entry?false/is a key entry?true
> [2017-11-22T17:52:36,937][DEBUG][c.f.s.s.u.SSLCertificateHelper] Alias ppjbies1: chain len 3
> [2017-11-22T17:52:36,938][DEBUG][c.f.s.s.u.SSLCertificateHelper] cert CN=ppjbies1.services.company.com, OU=APO, O=company, L=France, C=FR of type -1 -> false
> [2017-11-22T17:52:36,938][DEBUG][c.f.s.s.u.SSLCertificateHelper] cert CN=company Signing CA, OU=company Signing CA, O=company, DC=company, DC=com of type 0 -> false
> [2017-11-22T17:52:36,938][DEBUG][c.f.s.s.u.SSLCertificateHelper] cert CN=company Root CA, OU=company Root CA, O=company, DC=company, DC=com of type 2147483647 -> true
> [2017-11-22T17:52:36,938][DEBUG][c.f.s.s.u.SSLCertificateHelper] Alias ppjbies1: single cert CN=ppjbies1.services.company.com, OU=APO, O=company, L=France, C=FR of type -1 -> false
> [2017-11-22T17:52:36,939][INFO ][c.f.s.s.u.SSLCertificateHelper] No alias given, use the first one: ppjbies1
> [2017-11-22T17:52:36,939][WARN ][c.f.s.s.u.SSLCertificateHelper] Certificate chain for alias ppjbies1 contains a root certificate
> [2017-11-22T17:52:36,939][DEBUG][c.f.s.s.u.SSLCertificateHelper] Keystore has 1 entries/aliases
> [2017-11-22T17:52:36,939][DEBUG][c.f.s.s.u.SSLCertificateHelper] Alias ppjbies1: is a certificate entry?false/is a key entry?true
> [2017-11-22T17:52:36,939][DEBUG][c.f.s.s.u.SSLCertificateHelper] Alias ppjbies1: chain len 3
> [2017-11-22T17:52:36,939][DEBUG][c.f.s.s.u.SSLCertificateHelper] cert CN=ppjbies1.services.company.com, OU=APO, O=company, L=France, C=FR of type -1 -> false
> [2017-11-22T17:52:36,939][DEBUG][c.f.s.s.u.SSLCertificateHelper] cert CN=company Signing CA, OU=company Signing CA, O=company, DC=company, DC=com of type 0 -> false
> [2017-11-22T17:52:36,939][DEBUG][c.f.s.s.u.SSLCertificateHelper] cert CN=company Root CA, OU=company Root CA, O=company, DC=company, DC=com of type 2147483647 -> true
> [2017-11-22T17:52:36,940][DEBUG][c.f.s.s.u.SSLCertificateHelper] Alias ppjbies1: single cert CN=ppjbies1.services.company.com, OU=APO, O=company, L=France, C=FR of type -1 -> false
> [2017-11-22T17:52:36,941][DEBUG][c.f.s.s.u.SSLCertificateHelper] Keystore has 1 entries/aliases
> [2017-11-22T17:52:36,941][DEBUG][c.f.s.s.u.SSLCertificateHelper] Alias root-ca-chain: is a certificate entry?true/is a key entry?false
> [2017-11-22T17:52:36,941][DEBUG][c.f.s.s.u.SSLCertificateHelper] Alias root-ca-chain: single cert CN=company Root CA, OU=company Root CA, O=company, DC=company, DC=com of type 2147483647 -> true
> [2017-11-22T17:52:36,941][DEBUG][c.f.s.s.u.SSLCertificateHelper] No alias given, will trust all of the certificates in the store
> [2017-11-22T17:52:36,973][DEBUG][c.f.s.s.DefaultSearchGuardKeyStore] Value for searchguard.ssl.http.keystore_filepath is /opt/es-data/config/ppjbies1-keystore.jks
> [2017-11-22T17:52:36,974][DEBUG][c.f.s.s.DefaultSearchGuardKeyStore] Resolved /opt/es-data/config/ppjbies1-keystore.jks to /opt/es-data/config/ppjbies1-keystore.jks against /opt/es-data/config
> [2017-11-22T17:52:36,974][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] HTTPS client auth mode OPTIONAL
> [2017-11-22T17:52:36,974][DEBUG][c.f.s.s.u.SSLCertificateHelper] Keystore has 1 entries/aliases
> [2017-11-22T17:52:36,974][DEBUG][c.f.s.s.u.SSLCertificateHelper] Alias ppjbies1: is a certificate entry?false/is a key entry?true
> [2017-11-22T17:52:36,975][DEBUG][c.f.s.s.u.SSLCertificateHelper] Alias ppjbies1: chain len 3
> [2017-11-22T17:52:36,975][DEBUG][c.f.s.s.u.SSLCertificateHelper] cert CN=ppjbies1.services.company.com, OU=APO, O=company, L=France, C=FR of type -1 -> false
> [2017-11-22T17:52:36,975][DEBUG][c.f.s.s.u.SSLCertificateHelper] cert CN=company Signing CA, OU=company Signing CA, O=company, DC=company, DC=com of type 0 -> false
> [2017-11-22T17:52:36,975][DEBUG][c.f.s.s.u.SSLCertificateHelper] cert CN=company Root CA, OU=company Root CA, O=company, DC=company, DC=com of type 2147483647 -> true
> [2017-11-22T17:52:36,975][DEBUG][c.f.s.s.u.SSLCertificateHelper] Alias ppjbies1: single cert CN=ppjbies1.services.company.com, OU=APO, O=company, L=France, C=FR of type -1 -> false
> [2017-11-22T17:52:36,975][INFO ][c.f.s.s.u.SSLCertificateHelper] No alias given, use the first one: ppjbies1
> [2017-11-22T17:52:36,975][WARN ][c.f.s.s.u.SSLCertificateHelper] Certificate chain for alias ppjbies1 contains a root certificate
> [2017-11-22T17:52:36,975][DEBUG][c.f.s.s.u.SSLCertificateHelper] Keystore has 1 entries/aliases
> [2017-11-22T17:52:36,975][DEBUG][c.f.s.s.u.SSLCertificateHelper] Alias ppjbies1: is a certificate entry?false/is a key entry?true
> [2017-11-22T17:52:36,976][DEBUG][c.f.s.s.u.SSLCertificateHelper] Alias ppjbies1: chain len 3
> [2017-11-22T17:52:36,976][DEBUG][c.f.s.s.u.SSLCertificateHelper] cert CN=ppjbies1.services.company.com, OU=APO, O=company, L=France, C=FR of type -1 -> false
> [2017-11-22T17:52:36,976][DEBUG][c.f.s.s.u.SSLCertificateHelper] cert CN=company Signing CA, OU=company Signing CA, O=company, DC=company, DC=com of type 0 -> false
> [2017-11-22T17:52:36,976][DEBUG][c.f.s.s.u.SSLCertificateHelper] cert CN=company Root CA, OU=company Root CA, O=company, DC=company, DC=com of type 2147483647 -> true
> [2017-11-22T17:52:36,976][DEBUG][c.f.s.s.u.SSLCertificateHelper] Alias ppjbies1: single cert CN=ppjbies1.services.company.com, OU=APO, O=company, L=France, C=FR of type -1 -> false
> [2017-11-22T17:52:36,976][DEBUG][c.f.s.s.DefaultSearchGuardKeyStore] Value for searchguard.ssl.http.truststore_filepath is /opt/es-data/config/truststore.jks
> [2017-11-22T17:52:36,977][DEBUG][c.f.s.s.DefaultSearchGuardKeyStore] Resolved /opt/es-data/config/truststore.jks to /opt/es-data/config/truststore.jks against /opt/es-data/config
> [2017-11-22T17:52:36,977][DEBUG][c.f.s.s.u.SSLCertificateHelper] Keystore has 1 entries/aliases
> [2017-11-22T17:52:36,977][DEBUG][c.f.s.s.u.SSLCertificateHelper] Alias root-ca-chain: is a certificate entry?true/is a key entry?false
> [2017-11-22T17:52:36,978][DEBUG][c.f.s.s.u.SSLCertificateHelper] Alias root-ca-chain: single cert CN=company Root CA, OU=company Root CA, O=company, DC=company, DC=com of type 2147483647 -> true
> [2017-11-22T17:52:36,978][DEBUG][c.f.s.s.u.SSLCertificateHelper] No alias given, will trust all of the certificates in the store
> [2017-11-22T17:52:36,983][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] AES-256 not supported, max key length for AES is 128 bit.. That is not an issue, it just limits possible encryption strength. To enable AES 256 install 'Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files'
> [2017-11-22T17:52:36,983][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] sslTransportClientProvider:JDK with ciphers [TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256]
> [2017-11-22T17:52:36,983][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] sslTransportServerProvider:JDK with ciphers [TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256]
> [2017-11-22T17:52:36,984][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] sslHTTPProvider:JDK with ciphers [TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256]
> [2017-11-22T17:52:36,984][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] sslTransport protocols [TLSv1.2, TLSv1.1]
> [2017-11-22T17:52:36,984][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] sslHTTP protocols [TLSv1.2, TLSv1.1]
> [2017-11-22T17:52:36,987][INFO ][o.e.p.PluginsService ] [ppjbies1] loaded module [aggs-matrix-stats]
> [2017-11-22T17:52:36,987][INFO ][o.e.p.PluginsService ] [ppjbies1] loaded module [ingest-common]
> [2017-11-22T17:52:36,987][INFO ][o.e.p.PluginsService ] [ppjbies1] loaded module [lang-expression]
> [2017-11-22T17:52:36,987][INFO ][o.e.p.PluginsService ] [ppjbies1] loaded module [lang-groovy]
> [2017-11-22T17:52:36,987][INFO ][o.e.p.PluginsService ] [ppjbies1] loaded module [lang-mustache]
> [2017-11-22T17:52:36,987][INFO ][o.e.p.PluginsService ] [ppjbies1] loaded module [lang-painless]
> [2017-11-22T17:52:36,987][INFO ][o.e.p.PluginsService ] [ppjbies1] loaded module [parent-join]
> [2017-11-22T17:52:36,987][INFO ][o.e.p.PluginsService ] [ppjbies1] loaded module [percolator]
> [2017-11-22T17:52:36,987][INFO ][o.e.p.PluginsService ] [ppjbies1] loaded module [reindex]
> [2017-11-22T17:52:36,987][INFO ][o.e.p.PluginsService ] [ppjbies1] loaded module [transport-netty3]
> [2017-11-22T17:52:36,988][INFO ][o.e.p.PluginsService ] [ppjbies1] loaded module [transport-netty4]
> [2017-11-22T17:52:36,988][INFO ][o.e.p.PluginsService ] [ppjbies1] loaded plugin [search-guard-5]
> [2017-11-22T17:52:38,566][DEBUG][o.e.a.ActionModule ] Using REST wrapper from plugin com.floragunn.searchguard.SearchGuardPlugin
> [2017-11-22T17:52:38,617][INFO ][c.f.s.SearchGuardPlugin ] FLS/DLS valve not bound (noop) due to java.lang.ClassNotFoundException: com.floragunn.searchguard.configuration.DlsFlsValveImpl
> [2017-11-22T17:52:38,618][INFO ][c.f.s.SearchGuardPlugin ] Auditlog not available due to java.lang.ClassNotFoundException: com.floragunn.searchguard.auditlog.impl.AuditLogImpl
> [2017-11-22T17:52:38,619][DEBUG][c.f.s.SearchGuardPlugin ] Using com.floragunn.searchguard.transport.DefaultInterClusterRequestEvaluator as intercluster request evaluator class
> [2017-11-22T17:52:38,620][INFO ][c.f.s.SearchGuardPlugin ] Privileges interceptor not bound (noop) due to java.lang.ClassNotFoundException: com.floragunn.searchguard.configuration.PrivilegesInterceptorImpl
> [2017-11-22T17:52:38,629][DEBUG][c.f.s.c.AdminDNs ] CN=sgadmin,OU=APO,O=company,L=France,C=FR is registered as an admin dn
> [2017-11-22T17:52:38,631][DEBUG][c.f.s.c.AdminDNs ] Loaded 1 admin DN's [CN=sgadmin,OU=APO,O=company,L=France,C=FR]
> [2017-11-22T17:52:38,632][DEBUG][c.f.s.c.AdminDNs ] Loaded 0 impersonation DN's {}
> [2017-11-22T17:52:38,645][DEBUG][c.f.s.c.ConfigurationLoader] Index is: searchguard
> [2017-11-22T17:52:38,646][DEBUG][c.f.s.c.IndexBaseConfigurationRepository] Subscribe on configuration changes by type config with listener com.floragunn.searchguard.http.XFFResolver@32120956
> [2017-11-22T17:52:38,674][DEBUG][c.f.s.c.IndexBaseConfigurationRepository] Subscribe on configuration changes by type config with listener com.floragunn.searchguard.auth.BackendRegistry@67770b37
> [2017-11-22T17:52:38,717][DEBUG][c.f.s.h.SearchGuardHttpServerTransport] [ppjbies1] using max_chunk_size[8kb], max_header_size[8kb], max_initial_line_length[4kb], max_content_length[100mb], receive_predictor[64kb->64kb], pipelining[true], pipelining_max_events[10000]
> [2017-11-22T17:52:38,739][INFO ][o.e.d.DiscoveryModule ] [ppjbies1] using discovery type [zen]
> [2017-11-22T17:52:39,342][INFO ][o.e.n.Node ] [ppjbies1] initialized
> [2017-11-22T17:52:39,343][INFO ][o.e.n.Node ] [ppjbies1] starting ...
> [2017-11-22T17:52:39,413][DEBUG][c.f.s.s.t.SearchGuardSSLNettyTransport] [ppjbies1] using profile[default], worker_count[8], port[9300-9400], bind_host[null], publish_host[null], compress[false], connect_timeout[30s], connections_per_node[2/3/6/1/1], receive_predictor[64kb->64kb]
> [2017-11-22T17:52:39,419][DEBUG][c.f.s.s.t.SearchGuardSSLNettyTransport] [ppjbies1] binding server bootstrap to: [0.0.0.0]
> [2017-11-22T17:52:39,498][DEBUG][c.f.s.s.t.SearchGuardSSLNettyTransport] [ppjbies1] Bound profile [default] to address {0.0.0.0:9300}
> [2017-11-22T17:52:39,500][INFO ][o.e.t.TransportService ] [ppjbies1] publish_address {172.21.22.38:9300}, bound_addresses {0.0.0.0:9300}
> [2017-11-22T17:52:39,510][INFO ][o.e.b.BootstrapChecks ] [ppjbies1] bound or publishing to a non-loopback or non-link-local address, enforcing bootstrap checks
> [2017-11-22T17:52:39,515][INFO ][c.f.s.c.IndexBaseConfigurationRepository] Check if searchguard index exists ...
> [2017-11-22T17:52:39,522][DEBUG][o.e.a.a.i.e.i.TransportIndicesExistsAction] [ppjbies1] no known master node, scheduling a retry
> [2017-11-22T17:52:59,361][DEBUG][c.f.s.s.t.SearchGuardSSLNettyTransport] [ppjbies1] connected to node [{ppjessbi}{FVHpTmZURWGQs1yxLhu0kw}{cFtADFUYSEWk_mY6nrTCQQ}{172.21.22.37}{172.21.22.37:9300}]
> [2017-11-22T17:52:59,617][DEBUG][c.f.s.s.t.SearchGuardSSLNettyTransport] [ppjbies1] connected to node [{ppjbies2}{jhcY9XfoTIikmatGsYGpZQ}{w8W6-t8JSRuyZFf00gvXLQ}{172.21.22.39}{172.21.22.39:9300}]
> [2017-11-22T17:52:59,620][INFO ][o.e.c.s.ClusterSettings ] [ppjbies1] updating [cluster.routing.allocation.enable] from [ALL] to [all]
> [2017-11-22T17:52:59,926][DEBUG][c.f.s.h.SearchGuardHttpServerTransport] [ppjbies1] Bound http to address {0.0.0.0:9200}
> [2017-11-22T17:52:59,928][INFO ][c.f.s.h.SearchGuardHttpServerTransport] [ppjbies1] publish_address {172.21.22.38:9200}, bound_addresses {0.0.0.0:9200}
> [2017-11-22T17:52:59,929][INFO ][o.e.n.Node ] [ppjbies1] started
> [2017-11-22T17:53:00,698][DEBUG][c.f.s.c.IndexBaseConfigurationRepository] Node started, try to initialize it. Wait for at least yellow cluster state....
> [2017-11-22T17:53:00,762][DEBUG][c.f.s.c.IndexBaseConfigurationRepository] Try to load config ...
> [2017-11-22T17:53:02,080][DEBUG][c.f.s.c.ConfigurationLoader] Received config for config (of [config, roles, rolesmapping, internalusers, actiongroups]) with current latch value=4
> [2017-11-22T17:53:02,087][DEBUG][c.f.s.c.ConfigurationLoader] Received config for roles (of [config, roles, rolesmapping, internalusers, actiongroups]) with current latch value=3
> [2017-11-22T17:53:02,091][DEBUG][c.f.s.c.ConfigurationLoader] Received config for rolesmapping (of [config, roles, rolesmapping, internalusers, actiongroups]) with current latch value=2
> [2017-11-22T17:53:02,093][DEBUG][c.f.s.c.ConfigurationLoader] Received config for internalusers (of [config, roles, rolesmapping, internalusers, actiongroups]) with current latch value=1
> [2017-11-22T17:53:02,096][DEBUG][c.f.s.c.ConfigurationLoader] Received config for actiongroups (of [config, roles, rolesmapping, internalusers, actiongroups]) with current latch value=0
> [2017-11-22T17:53:02,096][DEBUG][c.f.s.c.IndexBaseConfigurationRepository] Retrieved [rolesmapping, config, internalusers, actiongroups, roles] configs
> [2017-11-22T17:53:03,177][DEBUG][c.f.s.c.ConfigurationLoader] Received config for config (of [config, roles, rolesmapping, internalusers, actiongroups]) with current latch value=4
> [2017-11-22T17:53:03,177][DEBUG][c.f.s.c.ConfigurationLoader] Received config for roles (of [config, roles, rolesmapping, internalusers, actiongroups]) with current latch value=3
> [2017-11-22T17:53:03,178][DEBUG][c.f.s.c.ConfigurationLoader] Received config for rolesmapping (of [config, roles, rolesmapping, internalusers, actiongroups]) with current latch value=2
> [2017-11-22T17:53:03,178][DEBUG][c.f.s.c.ConfigurationLoader] Received config for internalusers (of [config, roles, rolesmapping, internalusers, actiongroups]) with current latch value=1
> [2017-11-22T17:53:03,181][DEBUG][c.f.s.c.IndexBaseConfigurationRepository] Notify com.floragunn.searchguard.http.XFFResolver@32120956 listener about change configuration with type config
> [2017-11-22T17:53:03,181][DEBUG][c.f.s.c.IndexBaseConfigurationRepository] Notify com.floragunn.searchguard.auth.BackendRegistry@67770b37 listener about change configuration with type config
> [2017-11-22T17:53:03,184][INFO ][c.f.s.c.IndexBaseConfigurationRepository] Node 'ppjbies1' initialized
> [2017-11-22T17:53:03,184][DEBUG][c.f.s.c.ConfigurationLoader] Received config for actiongroups (of [config, roles, rolesmapping, internalusers, actiongroups]) with current latch value=0
> [2017-11-22T17:53:04,225][ERROR][c.f.s.s.t.SearchGuardSSLNettyTransport] [ppjbies1] SSL Problem Received fatal alert: certificate_unknown
>
>
> And i configured each node this way, configured users, roles, actions and so on, then installed them using sgadmin.sh, whcih finished with success message.
>
> ######## Start Search Guard Configuration ########
> searchguard.ssl.transport.enabled: true
> searchguard.ssl.transport.keystore_filepath: /opt/es-data/config/ppjessbi-keystore.jks
> searchguard.ssl.transport.truststore_filepath: /opt/es-data/config/truststore.jks
> searchguard.ssl.transport.enforce_hostname_verification: false
> searchguard.ssl.http.enabled: true
> searchguard.ssl.http.keystore_filepath: /opt/es-data/config/ppjessbi-keystore.jks
> searchguard.ssl.http.truststore_filepath: /opt/es-data/config/truststore.jks
> # The setting below informs SearchGuard of all client certificates allowed to administrate SearhGuard.
> searchguard.authcz.admin_dn:
> - CN=sgadmin,OU=APO,O=company,L=France,C=FR
>
> ######## End Search Guard Configuration ########
>
>
>
> I would really appreciate if someone could help.
>
>
> --
> You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.
> To post to this group, send email to search...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/122c40c4-8682-4dde-8a38-6d16e7a653f0%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.
To post to this group, send email to search-guard@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/424db490-29ed-4bae-8ea3-06058fcc67ae%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

I did not call the generator twice. And I already cleaned up every certificates (even nodes ones) once, recreating all certs by call the generate all script (only once).
I’ll try again…

Btw I did launch the node in frontend, and got ssl debug, but the error is not really helping :

elasticsearch[ppjbies1][[transport_server_worker.default]][T#7], READ: TLSv1.2 Handshake, length = 136

*** ClientHello, TLSv1.2

RandomCookie: GMT: 1511529205 bytes = { 215, 56, 94, 216, 125, 171, 128, 135, 128, 189, 174, 27, 59, 4, 156, 93, 204, 197, 95, 160, 42, 129, 10, 253, 11, 215, 67, 9 }

Session ID: {}

Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256]

Compression Methods: { 0 }

Extension elliptic_curves, curve names: {secp256r1, secp384r1, secp521r1, sect283k1, sect283r1, sect409k1, sect409r1, sect571k1, sect571r1, secp256k1}

Extension ec_point_formats, formats: [uncompressed]

Extension signature_algorithms, signature_algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA, SHA256withDSA, SHA224withECDSA, SHA224withRSA, SHA224withDSA, SHA1withECDSA, SHA1withRSA, SHA1withDSA

Extension renegotiation_info, renegotiated_connection:

···

[read] MD5 and SHA1 hashes: len = 136

0000: 01 00 00 84 03 03 5A 18 1B F5 D7 38 5E D8 7D AB …Z…8^…

0010: 80 87 80 BD AE 1B 3B 04 9C 5D CC C5 5F A0 2A 81 …;…]…_.*.

0020: 0A FD 0B D7 43 09 00 00 16 C0 23 C0 27 00 67 00 …C…#.’.g.

0030: 40 C0 09 C0 13 00 33 C0 2B C0 2F 00 9E 00 A2 01 @…3.+./…

0040: 00 00 45 00 0A 00 16 00 14 00 17 00 18 00 19 00 …E…

0050: 09 00 0A 00 0B 00 0C 00 0D 00 0E 00 16 00 0B 00 …

0060: 02 01 00 00 0D 00 1C 00 1A 06 03 06 01 05 03 05 …

0070: 01 04 03 04 01 04 02 03 03 03 01 03 02 02 03 02 …

0080: 01 02 02 FF 01 00 01 00 …

%% Initialized: [Session-40, SSL_NULL_WITH_NULL_NULL]

2C 64 01 19 16 03 63 6F …&…,d…co

0090: 6D 31 18 30 16 06 0A 09 92 26 89 93 F2 2C 64 01 m1.0…&…,d. …

elasticsearch[ppjbies1][[transport_server_worker.default]][T#3], called closeOutbound()

elasticsearch[ppjbies1][[transport_server_worker.default]][T#3], closeOutboundInternal()

elasticsearch[ppjbies1][[transport_server_worker.default]][T#3], SEND TLSv1.2 ALERT: warning, description = close_notify

Padded plaintext before ENCRYPTION: len = 64

0000: C7 14 39 F1 B1 68 3C 2B 3E 3C F9 59 1E 5E 8C F4 …9…h<+><.Y.^…

0010: 01 00 E8 DA 73 D8 0C B6 51 8B 57 0F 3C 11 5A E2 …s…Q.W.<.Z.

0020: D6 3F 2E 45 42 DB 1B 54 E6 03 5F E8 23 C9 DA 9C .?.EB…T…_.#…

0030: 8E 8C 0D 0D 0D 0D 0D 0D 0D 0D 0D 0D 0D 0D 0D 0D …

elasticsearch[ppjbies1][[transport_server_worker.default]][T#3], WRITE: TLSv1.2 Alert, length = 64

[Raw write]: length = 69

0000: 15 03 03 00 40 F7 ED EC BD 91 97 95 4C 8C DF 16 …@…L…

0010: 4A CE FB 01 2E 99 E2 FD 4D B4 F7 68 BA 7B 98 07 J…M…h…

0020: 1A 84 2C E9 9C 5C D8 F1 84 CD D2 F0 39 4F B0 12 …,…9O…

0030: 95 48 F6 5F 5B 14 A2 02 41 2F 5A E8 A7 F3 1E 65 .H._[…A/Z…e

0040: 1B B1 BE 48 BB …H.

elasticsearch[ppjbies1][[transport_server_worker.default]][T#3], called closeOutbound()

elasticsearch[ppjbies1][[transport_server_worker.default]][T#3], closeOutboundInternal()

elasticsearch[ppjbies1][[transport_server_worker.default]][T#3], called closeOutbound()

elasticsearch[ppjbies1][[transport_server_worker.default]][T#3], closeOutboundInternal()

elasticsearch[ppjbies1][[transport_server_worker.default]][T#3], called closeOutbound()

elasticsearch[ppjbies1][[transport_server_worker.default]][T#3], closeOutboundInternal()

elasticsearch[ppjbies1][[transport_server_worker.default]][T#3], called closeOutbound()

elasticsearch[ppjbies1][[transport_server_worker.default]][T#3], closeOutboundInternal()

Standard ciphersuite chosen: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256

%% Negotiating: [Session-40, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256]

*** ServerHello, TLSv1.2

RandomCookie: GMT: 1511529209 bytes = { 197, 20, 240, 171, 131, 155, 239, 101, 125, 223, 7, 242, 83, 102, 237, 75, 112, 180, 213, 72, 25, 143, 110, 79, 185, 22, 61, 229 }

Session ID: {90, 24, 27, 249, 98, 209, 218, 130, 81, 251, 233, 42, 137, 59, 230, 220, 130, 73, 170, 205, 156, 123, 28, 115, 167, 173, 18, 52, 0, 166, 219, 10}

Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256

Compression Method: 0

Extension renegotiation_info, renegotiated_connection:


Cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256

*** Certificate chain

chain [0] = [

[

Version: V3

Subject: CN=ppjbies1.services.ingenico.com, OU=APO, O=Ingenico, L=France, C=FR

Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11

Key: Sun RSA public key, 2048 bits

modulus: 18064921354489852508993127027925376066778304116073610862176631673270256570327624165869734576872085117977348782037160617552209238151199666595325892602232671614704707062365592163068816885003452529178773550773770572518227411333816445153462676818051213112313466711109217566735794204149027894627013201417436365493293256810832702861958045647124768607294634223790506902299607419914203463020750147507391444257415498786814192403108729379625941842128383642891468587393939251603544641452936897393276703634523517589633486000259596240426308592960812987414502319161178866400467712824775706495030431786359187511046195890552791518049

public exponent: 65537

Validity: [From: Wed Nov 22 16:19:51 GMT 2017,

           To: Fri Nov 22 16:19:51 GMT 2019]

Issuer: CN=Ingenico Signing CA, OU=Ingenico Signing CA, O=Ingenico, DC=ingenico, DC=com

SerialNumber: [ 02]

Certificate Extensions: 7

[1]: ObjectId: 2.5.29.35 Criticality=false

AuthorityKeyIdentifier [

KeyIdentifier [

0000: 93 58 51 F7 1A 12 15 21 9D 13 F8 90 18 22 47 5A .XQ…!.."GZ

0010: BD 9E 2B 70 …+p

]

]

[2]: ObjectId: 2.5.29.19 Criticality=false

BasicConstraints:[

CA:false

PathLen: undefined

]

[3]: ObjectId: 2.5.29.31 Criticality=false

CRLDistributionPoints [

[DistributionPoint:

 [URIName: https://raw.githubusercontent.com/floragunncom/unittest-assets/master/revoked.crl]

]]

[4]: ObjectId: 2.5.29.37 Criticality=false

ExtendedKeyUsages [

serverAuth

clientAuth

]

[5]: ObjectId: 2.5.29.15 Criticality=true

KeyUsage [

DigitalSignature

Key_Encipherment

]

[6]: ObjectId: 2.5.29.17 Criticality=false

SubjectAlternativeName [

DNSName: ppjbies1.services.ingenico.com

DNSName: localhost

IPAddress: 172.21.22.38

OIDName: 1.2.3.4.5.5

]

[7]: ObjectId: 2.5.29.14 Criticality=false

SubjectKeyIdentifier [

KeyIdentifier [

0000: 77 B4 4D 46 B5 92 47 48 17 91 6F 23 5F 46 61 56 w.MF…GH…o#_FaV

0010: 7C 0C C1 C8 …

]

]

]

Algorithm: [SHA256withRSA]

Signature:

0000: 89 17 4E 12 56 7F 43 5D 3C CE D9 F1 96 A5 68 ED …N.V.C]<…h.

0010: 3E 1A E1 31 76 A7 5D 97 E8 52 77 DA 3D F4 39 07 >…1v.]…Rw.=.9.

0020: EB 2B 19 5E 78 32 B6 0D 02 79 C4 00 C1 79 A4 02 .+.^x2…y…y…

0030: 84 B8 6D B8 6E CC 04 53 A4 D5 5E 80 20 D5 CC 37 …m.n…S…^. …7

0040: 39 A0 C2 47 29 5A 4A 08 28 5B CD 7E 26 11 2E 30 9…G)ZJ.([…&…0

0050: 43 16 64 36 69 42 8A E1 E2 0C 4D BC 4E 63 57 06 C.d6iB…M.NcW.

0060: 82 C8 55 CA B1 85 57 CF D7 C0 1C 43 55 F3 72 B6 …U…W…CU.r.

0070: 29 C4 4A 64 88 4B 7F 25 A1 59 E9 FB A9 B2 B5 1D ).Jd.K.%.Y…

0080: 73 70 30 CA 33 D7 F3 0F B1 3D 0C 71 F6 BA BA 22 sp0.3…=.q…"

0090: EF F8 7C DE F0 31 41 A9 76 8E 05 3D 03 12 3F AA …1A.v…=…?.

00A0: E2 17 F5 5F FA 4D EE 80 89 8C 6F 27 24 A6 B2 0F …_.M…o’$…

00B0: 00 36 07 2F BA 62 B3 1A 0F 93 5D 81 72 3B AB 42 .6./.b…].r;.B

00C0: A9 A4 81 B9 F0 EF 67 57 CD EA C1 BE BF CB 20 DE …gW… .

00D0: E5 11 F3 35 62 58 F4 08 E1 BC D6 B2 A6 DC 93 45 …5bX…E

00E0: 9F 79 6E DC F0 1B A8 CA 44 F6 86 0E DA 38 0D E1 .yn…D…8…

00F0: B1 76 BB 47 0A 49 DA CF F2 E4 6E 8F E1 37 9C F8 .v.G.I…n…7…

]

chain [1] = [

[

Version: V3

Subject: CN=Ingenico Signing CA, OU=Ingenico Signing CA, O=Ingenico, DC=ingenico, DC=com

Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11

Key: Sun RSA public key, 2048 bits

modulus: 25401584571038775979607975285408514307764097153855163720983375600685013110287744065471284196111235549192912025313072890847266900630754641885195429109539996477347803786475877936094308787919571242900954684180751067754282949233377334064194787814558548293309815351829443613669719592776082525563017426701047792736535904880999155049315130761821098742029602012185995909946657587846899715202831440099035646268672534274772721915305532175578933219991015506072207170772259046646159751553373278023070596457356408101672446565479119958486331221218156822829316497007137499876726676976552997223674258988908516629630726192040234634651

public exponent: 65537

Validity: [From: Wed Nov 22 16:19:48 GMT 2017,

           To: Mon Nov 22 16:19:48 GMT 2027]

Issuer: CN=Ingenico Root CA, OU=Ingenico Root CA, O=Ingenico, DC=ingenico, DC=com

SerialNumber: [ 02]

Certificate Extensions: 4

[1]: ObjectId: 2.5.29.35 Criticality=false

AuthorityKeyIdentifier [

KeyIdentifier [

0000: 0E 89 24 A6 59 CB F2 62 5B FA BA 41 24 3C AF 81 ….Y..b[..A<…

0010: 23 11 31 8B #.1.

]

]

[2]: ObjectId: 2.5.29.19 Criticality=true

BasicConstraints:[

CA:true

PathLen:0

]

[3]: ObjectId: 2.5.29.15 Criticality=true

KeyUsage [

Key_CertSign

Crl_Sign

]

[4]: ObjectId: 2.5.29.14 Criticality=false

SubjectKeyIdentifier [

KeyIdentifier [

0000: 93 58 51 F7 1A 12 15 21 9D 13 F8 90 18 22 47 5A .XQ…!.."GZ

0010: BD 9E 2B 70 …+p

]

]

]

Algorithm: [SHA256withRSA]

Signature:

0000: 02 32 49 FB 25 7C 47 CC 17 38 5B 00 F8 D6 5E D7 .2I.%.G…8[…^.

0010: 2F FA E6 BC 4B 81 B7 1A 91 8F 38 AD DA 5B 54 DF /…K…8…[T.

0020: 13 DB 56 9B 51 CC 0A C8 F4 07 EF 53 95 94 DD 98 …V.Q…S…

0030: 9F EB A2 FE 09 7D E5 23 F6 B5 B5 B2 0D 59 71 66 …#…Yqf

0040: B1 64 A5 3A 59 C9 44 7F 01 B7 AE 5E F3 E1 79 08 .d.:Y.D…^…y.

0050: 24 BB C9 CA AC 5F BD B4 D5 76 36 3D CA 07 0E 39 $…_…v6=…9

0060: 02 8D 23 84 FA 80 2C A5 74 2D B2 36 DF CA E5 F9 …#…,.t-.6…

0070: 8C 90 C1 CD 7F 3A 0D 85 54 D9 E9 77 93 D6 E8 D4 …:…T…w…

0080: 41 F1 A9 93 6B 03 E5 C0 91 3B 3C 9C 4C B6 21 ED A…k…;<.L.!.

0090: 2D C7 20 9A D4 CC 22 23 01 6D 96 B4 3C 8F 78 25 -. …"#.m…<.x%

00A0: 7E ED 4A DA 14 BC 9C 7D 4C BF 94 60 82 BB BC 53 …J…L…`…S

00B0: AC 00 2B 50 45 74 F2 71 4D BF 7F B9 CF 96 27 CC …+PEt.qM…’.

00C0: D2 27 E2 37 CE 84 0D 7F F2 3E E6 06 63 5A E6 71 .’.7…>…cZ.q

00D0: 1F 08 14 B4 C4 A4 E0 F0 9E CB AA 10 FF BA 63 95 …c.

00E0: 96 BD 13 25 5B 3D D5 51 FF 76 00 3E 57 84 30 EC …%[=.Q.v.>W.0.

00F0: AC B3 7D 02 07 D2 93 5A 00 D4 B0 E9 97 86 9A 23 …Z…#

]


00A0: 19 16 08 69 6E 67 65 6E 69 63 6F 31 11 30 0F 06 …ingenico1.0…

00B0: 03 55 04 0A 0C 08 49 6E 67 65 6E 69 63 6F 31 1C .U…Ingenico1.

00C0: 30 1A 06 03 55 04 0B 0C 13 49 6E 67 65 6E 69 63 0…U…Ingenic

00D0: 6F 20 53 69 67 6E 69 6E 67 20 43 41 31 1C 30 1A o Signing CA1.0.

00E0: 06 03 55 04 03 0C 13 49 6E 67 65 6E 69 63 6F 20 …U…Ingenico

00F0: 53 69 67 6E 69 6E 67 20 43 41 30 1E 17 0D 31 37 Signing CA0…17

0100: 31 31 32 32 31 36 31 39 35 31 5A 17 0D 31 39 31 1122161951Z…191

0110: 31 32 32 31 36 31 39 35 31 5A 30 68 31 0B 30 09 122161951Z0h1.0.

0120: 06 03 55 04 06 13 02 46 52 31 0F 30 0D 06 03 55 …U…FR1.0…U

0130: 04 07 13 06 46 72 61 6E 63 65 31 11 30 0F 06 03 …France1.0…

0140: 55 04 0A 13 08 49 6E 67 65 6E 69 63 6F 31 0C 30 U…Ingenico1.0

0150: 0A 06 03 55 04 0B 13 03 41 50 4F 31 27 30 25 06 …U…APO1’0%.

0160: 03 55 04 03 13 1E 70 70 6A 62 69 65 73 31 2E 73 .U…ppjbies1.s

0170: 65 72 76 69 63 65 73 2E 69 6E 67 65 6E 69 63 6F ervices.ingenico

0180: 2E 63 6F 6D 30 82 01 22 30 0D 06 09 2A 86 48 86 .com0…"0…*.H.

0190: F7 0D 01 01 01 05 00 03 82 01 0F 00 30 82 01 0A …0…

01A0: 02 82 01 01 00 8F 1A 0B C4 67 3F BC 37 24 27 1F …g?.7$’.

01B0: 3A 31 60 30 03 8A BE 26 FE 5E 38 94 5F A8 48 54 :1`0…&.^8._.HT

01C0: F6 BC 21 FB 23 13 E9 AF 96 0A 6A A2 CE A2 40 03 …!.#…j…@.

01D0: 7D 2B 5E 2F 59 03 6A AA A5 E5 8C 21 0E 70 CC D4 .+^/Y.j…!.p…

01E0: 9C 44 B9 1E 54 57 E1 F9 DC 7E AC F0 3B 43 0F 5A .D…TW…;C.Z

01F0: B5 D4 55 89 24 9D 83 E3 3C C2 89 08 E3 54 55 2F …U.$…<…TU/

0200: 20 CD C8 03 DC 32 C6 FE 37 88 06 C4 DD B8 EC AB …2…7…

0210: 2C F4 0C ED CF 9C 94 4C 1F 85 C8 FD 7E 1F 3E F0 ,…L…>.

0220: 6D 33 DB E3 06 A2 CB 87 09 DA 95 3B BB EB 19 B8 m3…;…

0230: C3 CC 50 0C E6 EA D4 63 B5 22 8F 26 4B 56 9B 50 …P…c.".&KV.P

0240: 3D E5 96 6A 57 8E 71 31 B6 21 DE 2B 4B 37 45 A6 =…jW.q1.!.+K7E.

0250: 5A A8 ED C3 8D E4 1D FF 76 0B CD 5E 79 C5 E5 55 Z…v…^y…U

0260: 13 01 AA 2B 59 43 C3 D0 A2 94 A6 4F A6 F7 5F C8 …+YC…O…_.

0270: 35 04 8E E2 65 9F 27 4D 45 93 52 DF 22 A2 B8 B7 5…e.'ME.R."…

0280: B1 BE 30 30 CC A0 4C 0E 04 32 F2 21 86 AA 54 44 …00…L…2.!..TD

0290: A3 AB 65 A6 26 57 3E 92 7D 57 40 B3 55 4A 68 F7 …e.&W>…W@.UJh.

02A0: 17 66 56 4B 61 02 03 01 00 01 A3 82 01 25 30 82 .fVKa…%0.

02B0: 01 21 30 0E 06 03 55 1D 0F 01 01 FF 04 04 03 02 .!0…U…

02C0: 05 A0 30 09 06 03 55 1D 13 04 02 30 00 30 1D 06 …0…U…0.0…

02D0: 03 55 1D 25 04 16 30 14 06 08 2B 06 01 05 05 07 .U.%…0…+…

02E0: 03 01 06 08 2B 06 01 05 05 07 03 02 30 1D 06 03 …+…0…

02F0: 55 1D 0E 04 16 04 14 77 B4 4D 46 B5 92 47 48 17 U…w.MF…GH.

0300: 91 6F 23 5F 46 61 56 7C 0C C1 C8 30 1F 06 03 55 .o#_FaV…0…U

0310: 1D 23 04 18 30 16 80 14 93 58 51 F7 1A 12 15 21 .#…0…XQ…!

0320: 9D 13 F8 90 18 22 47 5A BD 9E 2B 70 30 62 06 03 …"GZ…+p0b…

0330: 55 1D 1F 04 5B 30 59 30 57 A0 55 A0 53 86 51 68 U…[0Y0W.U.S.Qh

0340: 74 74 70 73 3A 2F 2F 72 61 77 2E 67 69 74 68 75 ttps://raw.githu

0350: 62 75 73 65 72 63 6F 6E 74 65 6E 74 2E 63 6F 6D busercontent.com

0360: 2F 66 6C 6F 72 61 67 75 6E 6E 63 6F 6D 2F 75 6E /floragunncom/un

0370: 69 74 74 65 73 74 2D 61 73 73 65 74 73 2F 6D 61 ittest-assets/ma

0380: 73 74 65 72 2F 72 65 76 6F 6B 65 64 2E 63 72 6C ster/revoked.crl

0390: 30 41 06 03 55 1D 11 04 3A 30 38 82 1E 70 70 6A 0A…U…:08…ppj

03A0: 62 69 65 73 31 2E 73 65 72 76 69 63 65 73 2E 69 bies1.services.i

03B0: 6E 67 65 6E 69 63 6F 2E 63 6F 6D 82 09 6C 6F 63 ngenico.com…loc

03C0: 61 6C 68 6F 73 74 87 04 AC 15 16 26 88 05 2A 03 alhost…&…*.

03D0: 04 05 05 30 0D 06 09 2A 86 48 86 F7 0D 01 01 0B …0…*.H…

03E0: 05 00 03 82 01 01 00 89 17 4E 12 56 7F 43 5D 3C …N.V.C]<

03F0: CE D9 F1 96 A5 68 ED 3E 1A E1 31 76 A7 5D 97 E8 …h.>…1v.]…

0400: 52 77 DA 3D F4 39 07 EB 2B 19 5E 78 32 B6 0D 02 Rw.=.9…+.^x2…

0410: 79 C4 00 C1 79 A4 02 84 B8 6D B8 6E CC 04 53 A4 y…y…m.n…S.

0420: D5 5E 80 20 D5 CC 37 39 A0 C2 47 29 5A 4A 08 28 .^. …79…G)ZJ.(

0430: 5B CD 7E 26 11 2E 30 43 16 64 36 69 42 8A E1 E2 […&…0C.d6iB…

0440: 0C 4D BC 4E 63 57 06 82 C8 55 CA B1 85 57 CF D7 .M.NcW…U…W…

0450: C0 1C 43 55 F3 72 B6 29 C4 4A 64 88 4B 7F 25 A1 …CU.r.).Jd.K.%.

0460: 59 E9 FB A9 B2 B5 1D 73 70 30 CA 33 D7 F3 0F B1 Y…sp0.3…

0470: 3D 0C 71 F6 BA BA 22 EF F8 7C DE F0 31 41 A9 76 =.q…"…1A.v

0480: 8E 05 3D 03 12 3F AA E2 17 F5 5F FA 4D EE 80 89 …=…?.._.M…

0490: 8C 6F 27 24 A6 B2 0F 00 36 07 2F BA 62 B3 1A 0F .o’$…6./.b…

04A0: 93 5D 81 72 3B AB 42 A9 A4 81 B9 F0 EF 67 57 CD .].r;.B…gW.

04B0: EA C1 BE BF CB 20 DE E5 11 F3 35 62 58 F4 08 E1 … …5bX…

04C0: BC D6 B2 A6 DC 93 45 9F 79 6E DC F0 1B A8 CA 44 …E.yn…D

04D0: F6 86 0E DA 38 0D E1 B1 76 BB 47 0A 49 DA CF F2 …8…v.G.I…

04E0: E4 6E 8F E1 37 9C F8 00 03 DB 30 82 03 D7 30 82 .n…7…0…0.

04F0: 02 BF A0 03 02 01 02 02 01 02 30 0D 06 09 2A 86 …0…*.

0500: 48 86 F7 0D 01 01 0B 05 00 30 78 31 13 30 11 06 H…0x1.0…

0510: 0A 09 92 26 89 93 F2 2C 64 01 19 16 03 63 6F 6D …&…,d…com

0520: 31 18 30 16 06 0A 09 92 26 89 93 F2 2C 64 01 19 1.0…&…,d…

0530: 16 08 69 6E 67 65 6E 69 63 6F 31 11 30 0F 06 03 …ingenico1.0…

0540: 55 04 0A 0C 08 49 6E 67 65 6E 69 63 6F 31 19 30 U…Ingenico1.0

0550: 17 06 03 55 04 0B 0C 10 49 6E 67 65 6E 69 63 6F …U…Ingenico

0560: 20 52 6F 6F 74 20 43 41 31 19 30 17 06 03 55 04 Root CA1.0…U.

0570: 03 0C 10 49 6E 67 65 6E 69 63 6F 20 52 6F 6F 74 …Ingenico Root

0580: 20 43 41 30 1E 17 0D 31 37 31 31 32 32 31 36 31 CA0…171122161

0590: 39 34 38 5A 17 0D 32 37 31 31 32 32 31 36 31 39 948Z…2711221619

05A0: 34 38 5A 30 7E 31 13 30 11 06 0A 09 92 26 89 93 48Z0.1.0…&…

05B0: F2 2C 64 01 19 16 03 63 6F 6D 31 18 30 16 06 0A .,d…com1.0…

05C0: 09 92 26 89 93 F2 2C 64 01 19 16 08 69 6E 67 65 …&…,d…inge

05D0: 6E 69 63 6F 31 11 30 0F 06 03 55 04 0A 0C 08 49 nico1.0…U…I

05E0: 6E 67 65 6E 69 63 6F 31 1C 30 1A 06 03 55 04 0B ngenico1.0…U…

05F0: 0C 13 49 6E 67 65 6E 69 63 6F 20 53 69 67 6E 69 …Ingenico Signi

0600: 6E 67 20 43 41 31 1C 30 1A 06 03 55 04 03 0C 13 ng CA1.0…U…

0610: 49 6E 67 65 6E 69 63 6F 20 53 69 67 6E 69 6E 67 Ingenico Signing

0620: 20 43 41 30 82 01 22 30 0D 06 09 2A 86 48 86 F7 CA0…"0…*.H…

0630: 0D 01 01 01 05 00 03 82 01 0F 00 30 82 01 0A 02 …0…

0640: 82 01 01 00 C9 38 24 AC 9F 51 53 FE 46 D0 06 97 …8$…QS.F…

0650: 2A 68 55 68 F4 26 3A 0F 27 0E 6E CB 2B CB D7 6D *hUh.&:.’.n.+…m

0660: 7F D2 37 6B F8 6D 34 EA A9 BE 53 04 11 09 C1 42 …7k.m4…S…B

0670: FA 5D 5D 4A CA 48 25 C3 F7 6C 37 37 86 B0 70 22 .]]J.H%…l77…p"

0680: 3F BA F6 E9 D4 DA 2C DB 48 4F 48 F0 9A CF AA 60 ?..,.HOH…`

0690: 11 6D 4E 40 35 86 9C 15 8A 1E 3D 25 CE B4 EF 10 .mN@5…=%…

06A0: 4C C9 A6 82 47 3D AA 32 13 C3 9C 9A C8 29 BE 70 L…G=.2…).p

06B0: 9F 20 B9 4B C9 26 01 CC DE 68 86 C1 87 D5 62 3D . .K.&…h…b=

06C0: FD 9F 8D FE A7 09 F4 9E 0B A9 46 31 E7 D8 E6 DA …F1…

06D0: 97 5F 10 75 66 EA D6 AE 05 39 C6 FD 4A 78 44 58 ._.uf…9…JxDX

06E0: 7D F9 00 4A D7 2B 74 1B 3C 3E 06 34 A9 6C 80 78 …J.+t.<>.4.l.x

06F0: 84 74 E4 B5 14 5A 2A CA 02 46 65 C1 26 90 63 05 .t…Z*…Fe.&.c.

0700: 5C 71 29 FE 29 2C 0D F3 73 2E 46 8D AA 4A 3B 1D \q).),…s.F…J;.

0710: 1F 8D 0C AE D1 97 83 C3 F6 2E 49 08 2F 91 0B 5A …I./…Z

0720: AF A9 A5 A9 7D CE 3D 4D 4B A9 4A C9 26 71 4C 3C …=MK.J.&qL<

0730: 9C 5E A7 5C 25 CB FA 7D 11 53 E7 F7 4E AA 79 DC .^.%…S…N.y.

0740: 78 1E CD 9B 02 03 01 00 01 A3 66 30 64 30 0E 06 x…f0d0…

0750: 03 55 1D 0F 01 01 FF 04 04 03 02 01 06 30 12 06 .U…0…

0760: 03 55 1D 13 01 01 FF 04 08 30 06 01 01 FF 02 01 .U…0…

0770: 00 30 1D 06 03 55 1D 0E 04 16 04 14 93 58 51 F7 .0…U…XQ.

0780: 1A 12 15 21 9D 13 F8 90 18 22 47 5A BD 9E 2B 70 …!.."GZ…+p

0790: 30 1F 06 03 55 1D 23 04 18 30 16 80 14 0E 89 24 0…U.#…0…$

07A0: A6 59 CB F2 62 5B FA BA 41 24 3C AF 81 23 11 31 .Y…b[…A$<…#.1

07B0: 8B 30 0D 06 09 2A 86 48 86 F7 0D 01 01 0B 05 00 .0…*.H…

07C0: 03 82 01 01 00 02 32 49 FB 25 7C 47 CC 17 38 5B …2I.%.G…8[

07D0: 00 F8 D6 5E D7 2F FA E6 BC 4B 81 B7 1A 91 8F 38 …^./…K…8

07E0: AD DA 5B 54 DF 13 DB 56 9B 51 CC 0A C8 F4 07 EF …[T…V.Q…

07F0: 53 95 94 DD 98 9F EB A2 FE 09 7D E5 23 F6 B5 B5 S…#…

0800: B2 0D 59 71 66 B1 64 A5 3A 59 C9 44 7F 01 B7 AE …Yqf.d.:Y.D…

0810: 5E F3 E1 79 08 24 BB C9 CA AC 5F BD B4 D5 76 36 ^…y.$…_…v6

0820: 3D CA 07 0E 39 02 8D 23 84 FA 80 2C A5 74 2D B2 =…9…#…,.t-.

0830: 36 DF CA E5 F9 8C 90 C1 CD 7F 3A 0D 85 54 D9 E9 6…:…T…

0840: 77 93 D6 E8 D4 41 F1 A9 93 6B 03 E5 C0 91 3B 3C w…A…k…;<

0850: 9C 4C B6 21 ED 2D C7 20 9A D4 CC 22 23 01 6D 96 .L.!.-. …"#.m.

0860: B4 3C 8F 78 25 7E ED 4A DA 14 BC 9C 7D 4C BF 94 .<.x%…J…L…

0870: 60 82 BB BC 53 AC 00 2B 50 45 74 F2 71 4D BF 7F `…S…+PEt.qM…

0880: B9 CF 96 27 CC D2 27 E2 37 CE 84 0D 7F F2 3E E6 …’…’.7…>.

0890: 06 63 5A E6 71 1F 08 14 B4 C4 A4 E0 F0 9E CB AA .cZ.q…

08A0: 10 FF BA 63 95 96 BD 13 25 5B 3D D5 51 FF 76 00 …c…%[=.Q.v.

08B0: 3E 57 84 30 EC AC B3 7D 02 07 D2 93 5A 00 D4 B0 >W.0…Z…

08C0: E9 97 86 9A 23 0C 00 01 49 03 00 17 41 04 17 F0 …#…I…A…

08D0: E9 F0 D9 ED 60 8B 0C 3A B9 26 06 CF 38 39 4C A0 …`…:.&…89L.

08E0: E9 0E 20 99 FE 2A 60 00 31 18 0B 15 45 6D EA 12 … …*`.1…Em…

08F0: B2 F6 8D E9 55 9C EC C1 05 F4 4F 46 E5 16 63 60 …U…OF…c`

0900: BD 5B BC 93 3C D2 3C 9B 69 73 93 8A 33 4F 06 01 .[…<.<.is…3O…

0910: 01 00 81 66 29 2B D9 A0 A4 D3 1F 4D 14 24 E7 10 …f)+…M.$…

0920: FC EB 1D 95 B0 11 39 F2 A1 FA 43 AF 91 C9 E5 E9 …9…C…

0930: 42 21 A4 AF A9 3B 4A 6B 2C 16 0B E0 2D 84 8E 51 B!..;Jk,…-…Q

0940: 5E C7 CA FB EA 89 DF FC 08 1F F5 39 38 EF 9E DB ^…98…

0950: A5 DD FB A1 61 E3 A0 6D F2 71 D5 94 C9 D9 AF F5 …a…m.q…

0960: E6 1A C1 0C 46 97 D9 35 85 34 30 18 0C 36 A5 CD …F…5.40…6…

0970: C5 B4 D0 42 B9 0C 77 95 C1 5D E3 96 E3 D8 00 53 …B…w…]…S

0980: A1 E3 98 4A 94 69 FA 13 65 9A 42 B3 AC BF 13 12 …J.i…e.B…

0990: 29 B9 8E 0A 7E EC AE 3B 63 C7 F2 64 D7 77 BC 7D )…;c…d.w…

09A0: 6E 1B A8 3F 69 62 D7 77 3A C5 FD 48 94 BA 01 CA n…?ib.w:…H…

09B0: B3 52 F9 49 38 0D E7 95 C1 7A D3 69 5A 7C 4E 06 .R.I8…z.iZ.N.

09C0: DF 25 54 49 BB B7 6E A4 34 F7 42 7B 5E 67 5A 5C .%TI…n.4.B.^gZ\

09D0: 16 45 F0 E4 3A B9 C6 52 EB 73 2C 3D 14 B5 FC A3 .E…:…R.s,=…

09E0: AC EC 20 14 A0 C7 AB B0 22 CC F6 A3 F9 96 20 93 … …"… .

09F0: B0 E6 AA 68 D6 F3 3E 96 D3 02 1E 44 58 5E A8 17 …h…>…DX^…

0A00: 17 F8 5B DF 6E 2F 9A F8 A8 4D 3F 5F 8A CD A9 D7 …[.n/…M?_…

0A10: 6F BD 0D 00 00 F0 03 01 02 40 00 1A 06 03 06 01 o…@…

0A20: 05 03 05 01 04 03 04 01 04 02 03 03 03 01 03 02 …

0A30: 02 03 02 01 02 02 00 CE 00 7A 30 78 31 13 30 11 …z0x1.0.

0A40: 06 0A 09 92 26 89 93 F2 2C 64 01 19 16 03 63 6F …&…,d…co

0A50: 6D 31 18 30 16 06 0A 09 92 26 89 93 F2 2C 64 01 m1.0…&…,d.

0A60: 19 16 08 69 6E 67 65 6E 69 63 6F 31 11 30 0F 06 …ingenico1.0…

0A70: 03 55 04 0A 0C 08 49 6E 67 65 6E 69 63 6F 31 19 .U…Ingenico1.

0A80: 30 17 06 03 55 04 0B 0C 10 49 6E 67 65 6E 69 63 0…U…Ingenic

0A90: 6F 20 52 6F 6F 74 20 43 41 31 19 30 17 06 03 55 o Root CA1.0…U

0AA0: 04 03 0C 10 49 6E 67 65 6E 69 63 6F 20 52 6F 6F …Ingenico Roo

0AB0: 74 20 43 41 00 50 30 4E 31 0B 30 09 06 03 55 04 t CA.P0N1.0…U.

0AC0: 06 13 02 46 52 31 0F 30 0D 06 03 55 04 07 13 06 …FR1.0…U…

0AD0: 46 72 61 6E 63 65 31 11 30 0F 06 03 55 04 0A 13 France1.0…U…

0AE0: 08 49 6E 67 65 6E 69 63 6F 31 0C 30 0A 06 03 55 .Ingenico1.0…U

0AF0: 04 0B 13 03 41 50 4F 31 0D 30 0B 06 03 55 04 03 …APO1.0…U…

0B00: 13 04 6A 69 72 61 0E 00 00 00 …jira…

elasticsearch[ppjbies1][[transport_server_worker.default]][T#5], WRITE: TLSv1.2 Handshake, length = 2826

[Raw write]: length = 2831

0000: 16 03 03 0B 0A 02 00 00 4D 03 03 5A 18 1B F9 9B …M…Z…

0010: 68 16 39 1A 61 6A 41 63 02 00 CF BC B5 6A C5 C5 h.9.ajAc…j…

0020: 81 69 5A 8D AF 01 79 86 98 E6 2E 20 5A 18 1B F9 .iZ…y… Z…

0030: E4 27 88 72 47 11 5B 8F E4 BE CA 0E B2 B4 C0 33 .’.rG.[…3

0040: EC 92 7B 6E 08 61 6D 19 93 2D 9E 3A C0 27 00 00 …n.am…-.:.’…

0050: 05 FF 01 00 01 00 0B 00 08 70 00 08 6D 00 04 8C …p…m…

0060: 30 82 04 88 30 82 03 70 A0 03 02 01 02 02 01 02 0…0…p…

0070: 30 0D 06 09 2A 86 48 86 F7 0D 01 01 0B 05 00 30 0…*.H…0

0080: 7E 31 13 30 11 06 0A 09 92 26 89 93 F2 2C 64 01 .1.0…&…,d.

0090: 19 16 03 63 6F 6D 31 18 30 16 06 0A 09 92 26 89 …com1.0…&.

00A0: 93 F2 2C 64 01 19 16 08 69 6E 67 65 6E 69 63 6F …,d…ingenico

00B0: 31 11 30 0F 06 03 55 04 0A 0C 08 49 6E 67 65 6E 1.0…U…Ingen

00C0: 69 63 6F 31 1C 30 1A 06 03 55 04 0B 0C 13 49 6E ico1.0…U…In

00D0: 67 65 6E 69 63 6F 20 53 69 67 6E 69 6E 67 20 43 genico Signing C

00E0: 41 31 1C 30 1A 06 03 55 04 03 0C 13 49 6E 67 65 A1.0…U…Inge

00F0: 6E 69 63 6F 20 53 69 67 6E 69 6E 67 20 43 41 30 nico Signing CA0

0100: 1E 17 0D 31 37 31 31 32 32 31 36 31 39 35 31 5A …171122161951Z

0110: 17 0D 31 39 31 31 32 32 31 36 31 39 35 31 5A 30 *** ECDH ServerKeyExchange

Signature Algorithm SHA512withRSA

…191122161951Z0

0120: 68 31 0B 30 09 06 03 55 04 06 13 02 46 52 31 0F h1.0…U…FR1.

0130: 30 0D 06 03 55 04 07 13 06 46 72 61 6E 63 65 31 0…U…France1

0140: 11 30 0F 06 03 55 04 0A 13 08 49 6E 67 65 6E 69 .0…U…Ingeni

0150: 63 6F 31 0C 30 0A 06 03 55 04 0B 13 03 41 50 4F co1.0…U…APO

0160: 31 27 30 25 06 03 55 04 03 13 1E 70 70 6A 62 69 1’0%…U…ppjbi

Server key: Sun EC public key, 256 bits

public x coord: 94603154185594758712177503329309423254472990815864490343227687521905671056078

public y coord: 55741497693188403891737767541228575825312812852334675528804140042533062606815

parameters: secp256r1 [NIST P-256, X9.62 prime256v1] (1.2.840.10045.3.1.7)

0170: 65 73 31 2E 73 65 72 76 69 63 65 73 2E 69 6E 67 es1.services.ing

0180: 65 6E 69 63 6F 2E 63 6F 6D 30 82 01 22 30 0D 06 enico.com0…"0…

0190: 09 2A 86 48 86 F7*** CertificateRequest

Cert Types: RSA 0D 01 01 01 05 00 03 82 01 0F .*.H…

01A0: 00 30 82 01 0A 02 82 01 01 00 8F 1A 0B C4 67 3F .0…g?

01B0: BC 37 24 27 1F 3A 31 60 30 03 8A BE 26 FE 5E 38 .7$’.:1`0…&.^8

01C0: 94 5F A8 48 54 F6 BC 21 FB 23 13 E9 AF 96 0A 6A ._.HT…!.#…j

01D0: A2 CE A2 40 03 7D 2B 5E 2F 59 03 6A AA A5 E5 8C …@…+^/Y.j…

01E0: 21 0E 70 CC D4 9C 44 B9 1E 54 57 E1 F9 DC 7E AC !.p…D…TW…

01F0: F0 3B 43 0F 5A B5 D4 55 89 24 9D 83 E3 3C C2 89 , DSS, ECDSA .;C.Z…U.$…<…

0200: 08 E3 54 55 2F 20 CD

C8 03 DC 32 C6 FE 37 88 06 Supported Signature Algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA, SHA256withDSA, SHA224withECDSA, SHA224withRSA, SHA224withDSA, SHA1withECDSA, SHA1withRSA, SHA1withDSA

Cert Authorities:

…TU/ …2…7…

0210: C4 DD B8 EC AB 2C F4 0C ED CF 9C 94 4C 1F 85 C8 …,…L…

0220: FD 7E 1F 3E F0 6D 33 DB E3 06 A2 CB 87 09 DA 95 …>.m3…

0230: 3B BB EB 19 B8 C3 CC 50 <CN=Ingenico Root CA, OU=Ingenico Root CA, O=Ingenico, DC=ingenico, DC=com>

0C E6 EA D4 63 B5 22 8F ;…P…c.".

0240: 26 4B<CN=jira, OU=APO, O=Ingenico, L=France, C=FR>

56 9B 50 3D E5 96 6A 57 8E 71*** ServerHelloDone

31[write] MD5 and SHA1 hashes: len = 2826

B6 21 DE &KV.P=…jW.q1.!.

0250: 2B 4B 37 45 A6 5A A8 ED C3 8D E4 1D FF 76 0B CD +K7E.Z…0…v…

0260000: 5E 79 C5 E5 55 13 01 AA 2B 59 43 C3 D0 A2 94 A6 ^y…U…+YC…

0270: 4F A6 F7 5F C8 35 04 8E: 02 00 00 4D 03 03 5A 18 1B F9 C5 14 F0 AB 83 9B …M…Z…

0010: EF 65 7D DF 07 F2 53 66 ED 4B 70 B4 D5 48 19 8F .e…Sf.Kp…H…

0020: 6E 4F B9 16 3D E5 20 5A 18 1B F9 62 D1 DA 82 51 nO…=. Z…b…Q

0030: FB E9 2A 89 3B E6 DC 82 49 AA CD 9C E2 65 9F 27 4D 45 93 52 O…_.5…e.'ME.R

0280: DF 22 A2 B8 B7 B1 BE 30 7B 1C 73 A7 …*.;… 30 CC A0 4C 0E 04 32 F2 ."…00…L…2.

0290: 21 86 AA 54 44 A3 AB 65 A6 26 57 3E 92 7D 57 40 !..TD…e.&W>…W@

02A0: B3 55 4A 68 F7 17 66 56 4B 61 02 03 01 00 01 A3 .UJh…fVKa…

02B0: 82 01 25 30 82 01 21 30 0E 06 03 55 1D 0F 01 01 …%0…!0…U…

02C0: FF 04 04 03 02 05 A0 30 09 06 03 55 1D 13 04 02 …0…U…

02D0: 30 00 30 1D 06 03 55 1D 25 04 16 30 14 06 08 2B 0.0…U.%…0…+

02E0: 06 01 05 05 07 03 01 06 08 2B 06 01 05 05 07 03 …+…

02F0: 02 30 1D 06 03 55.I…s.

0040: AD 12 34 00 A6 DB 0A C0 27 00 00 05 FF 01 00 01 …4…’…

0050: 00 0B 00 08 70 00 08 6D 00 04 8C 30 82 04 88 30 …p…m…0…0

0060: 82 03 70 A0 03 02 01 02 02 01 02 1D 0E 04 16 04 14 77 B4 4D 46 .0…U…w.MF

0300: B5 92 47 48 17 91 6F 23 5F 46 61 56 7C 0C C1 C8 30 0D 06 09 2A …GH…o#_FaV…

0310: 30 1F 06 03 55 1D 23 04 18 30 16 80 14 93 58 51 …p… 0…U.#…0…XQ

0320: F7 1A 12 15 21 9D 13 F8 90 18 22 47 5A BD 9E 2B …!.."GZ…+

0330: 70 30 62 06 03 55 1D 1F 04 5B 30 59 30 57 A0 55 p0b…U…0…*

0070: 86 48 86 F7 0D 01 01 0B 05 00 30 7E 31 13 30 11 .H…0.1.0.

0080: 06 0A.[0Y0W.U

0340: A0 53 86 51 68 74 74 70 73 3A 2F 2F 72 61 77 2E .S.Qhttps://raw.

0350: 67 69 74 68 75 62 75 73 65 72 63 6F 6E 74 65 6E 09 92 26 89 93 F2 2C 64 01 19 16 03 63 6F githubuserconten

0360: 74 2E 63 6F 6D 2F 66 6C 6F 72 61 67 75 6E 6E 63 t.com/floragunnc

0370: 6F 6D 2F 75 6E 69 74 74 65 73 74 2D 61 73 73 65 om/unittest-asse

0380: 74 73 2F 6D 61 73 74 65 72 2F 72 65 76 6F 6B 65 ts/master/revoke

0390: 64 2E 63 72 6C 30 41 06 03 55 1D 11 04 3A 30 38 d.crl0A…U…:08

03A0: 82 1E 70 70 6A 62 69 65 73 31 2E 73 65 72 76 69 …ppjbies1.servi

03B0: 63 65 73 2E 69 6E 67 65 6E 69 63 6F 2E 63 6F 6D ces.ingenico.com

…&…,d…co

0090: 6D 31 18 30 16 06 0A 09 92 26 89 93 F2 2C 64 01 m1.0…&…,d.

00A0: 19 16 08 69 6E 67 65 6E 69 63 6F 31 11 30 0F 06 .03C0…ingenico1.0…: 82 09 6C 6F 63 61 6C 68 6F 73 74 87 04 AC 15 16 …localhost…

03D0: 26 88 05 2A 03 04 05 05 30 0D 06 09 2A 86 48 86 &……0….H.

03E0: F7 0D 01 01 0B 05 00 03 82 01 01 00 89 17 4E 12 …N.

03F0: 56 7F 43 5D 3C CE D9 F1 96 A5 68 ED 3E 1A E1 31 V.C]<…h.>…1

0400: 76 A7 5D 97 E8 52 77 DA 3D F4 39 07 EB 2B 19 5E v.]…Rw.=.9…+.^

0410: 78 32 B6 0D 02 79 C4 00 C1 79 A4 02 84 B8 6D B8 x2…y…y…m.

0420: 6E CC 04 53 A4 D5 5E 80 20 D5 CC 37 39 A0 C2 47 n…S…^. …79…G

0430: 29 5A 4A 08 28 5B CD 7E 26 11 2E 30 43 16 64 36 )ZJ.([…&…0C.d6

0440: 69 42 8A E1 E2 0C 4D BC 4E 63 57 06 82 C8 55 CA iB…M.NcW…U.

0450: B1 85 57 CF D7 C0 1C 43 55 F3 72 B6 29 C4 4A 64 …W.

00B0: 03 55 04 0A 0C 08 49 6E 67 65 6E 69 63 6F 31 1C .U…Ingenico1.

00C0…CU.r.).Jd

0460: 88 4B 7F 25 A1 59 E9 FB A9 B2 B5 1D 73 70 30 CA .K: 30 1A 06 03 55 04 0B 0C 13 49 6E 67 65 6E 69 63 0…U…Ingenic

00D0: 6F 20 53 69 67 6E 69 6E 67 20 43 41 31 1C 30 1A o Signing CA1.0.

00E0: 06 03 55 04 03 0C 13 49 6E 67 65 6E 69 63 6F 20 …U…Ingenico

00F0: 53 69 67 6E 69 6E 67 20 43 41 30 1E 17 0D 31 37 Signing CA0…17

0100: 31 31 32 32 31 36 31 39 35 31 5A 17 0D 31 39 31 1122161951Z…191

0110: 31 32 32 31 36 31 39 35 31 5A 30 68 31 0B 30 09 122161951Z0h1.0.

.%.Y…sp0.

0470: 33 D7 F3 0F B1 3D 0C 71 0120 F6 BA BA 22 EF F8 7C DE 3…=.q…"…

0480: F0 31: 06 03 55 04 06 13 02 46 52 31 0F 30 0D 06 03 55 …U…FR1.0…U

0130: 04 07 13 06 46 72 61 6E 63 65 31 11 30 0F 06 03 …France1.0…

0140: 55 04 0A 13 08 49 6E 67 65 6E 69 63 6F 31 0C 30 U…Ingenico1.0

0150: 0A 06 03 55 04 0B 13 03 41 50 4F 31 27 30 25 06 … 41 A9 76 8E 05 3D 03 12 3F AA E2 17 F5 5F .1A.v…=…?.._.U…APO1’0%.

0160: 03 55 04 03 13 1E 70 70 6A 62 69 65 73 31 2E 73 .U…ppjbies1.s

0170: 65 72 76 69 63 65 73 2E 69 6E 67 65 6E 69 63 6F ervices.ingenico

0180: 2E 63 6F 6D 30 82 01 22 30 0D 06 09 2A 86 48 86 .com0…"0…*.H.

0190: F7 0D 01 01 01 05 00 03 82 01 0F 00 30 82 01 0A .

0490: FA 4D EE 80 89 8C 6F 27 24 A6 B2 0F 00 36 07 2F .M…o’$…6./

04A0: BA 62 B3 1A 0F 93 5D 81 72 3B AB 42 A9 A4 81 B9 .b…].r;.B…

…0…

01A0: 02 82 01 01 00 8F 1A 0B C4 67 3F BC 37 24 27 1F …g?.7$’.04B0

01B0: 3A 31 60 30 03 8A BE 26 FE 5E 38 94 5F A8 48 54 :1`0…&.^8._.HT

01C0: F6 BC 21 FB 23 13 E9 AF 96 0A 6A A2 CE A2 40 03 …!.#.: F0 EF 67 57 CD EA C1 BE BF CB 20 DE E5 11 F3 35 …gW… …j…@.

01D0: 7D 2B 5E 2F 59 03 6A AA A5 E5 8C 21 0E 70 CC D4 .+^/Y.j…!.p…

01E0: 9C 44 B9 1E 54 57 E1 F9 DC 7E AC F0 3B 43 0F 5A .D…TW…;C.Z

…5

01F004C0: 62 58 F4 08 E1 BC D6 B2 A6 DC 93 45 9F 79 6E DC bX…E.yn.

04D0: F0 1B A8 CA 44 F6 86 0E DA 38 0D E1 B1 76 BB 47 …D…8…v.G

: B5 D4 55 89 24 9D 83 E3 3C C2 89 08 E3 54 55 2F …U.$…<…TU/

0200: 20 CD C8 03 DC 32 C6 FE 37 88 06 C4 DD B8 EC AB …2…7…

0210: 2C F4 0C ED CF 9C 94 4C 1F 85 C8 FD 7E 1F 3E F0 ,…L…>.

0220: 6D 33 DB E3 06 A2 CB 87 09 DA 95 3B BB EB 19 B8 m3…;…

04E00230: C3 CC 50 0C E6 EA D4 63 B5 22 8F 26 4B 56 9B 50 …P…c.".&KV.P

0240: 3D E5 96 6A 57 8E 71 31 B6 21 DE 2B 4B 37 45 A6 =…jW.q1.!.+K7E.

0250: 5A A8 ED C3 8D E4 1D FF 76 0B CD 5E 79 C5 E5 55 Z…v…^y…U

0260: 13 01 AA 2B 59 43 C3 D0 A2 94 A6 4F A6 F7 5F C8 …+YC…O…_.

0270: 35 04 8E E2 65 9F 27 4D 45 93 52 DF 22 A2 B8 B7 5…e.'ME.R."…

0280: B1 BE 30 30 CC A0 4C 0E 04 32 F2 21 86 AA 54 44 …00: 0A 49 DA CF F2 E4 6E 8F E1 37 9C F8 00 03 DB 30 .I…n…7…0

04F0: 82 03 D7 30 82 02 BF A0 03 02…L…2.!..TD

0290: A3 AB 65 A6 26 57 3E 92 7D 57 40 B3 55 4A 68 F7 …e.&W>…W@.UJh.

02A0: 17 66 56 4B 61 02 03 01 00 01 A3 82 01 25 30 82 01 02 02 01 02 30 …0…0

0500: 0D 06 09 2A 86 .fVKa…%0.

02B0: 01 21 30 0E 06 03 55 1D 0F 01 01 FF 04 04 03 02 .!0…U…

02C0: 05 A0 30 09 06 0 3 55 1D 13 04 02 30 00 30 1D 06 …0…U…0.0…

02D0: 03 55 1D 25 04 16 30 14 06 08 2B 06 01 05 05 07 .U.%…0…+…

02E0: 03 01 06 08 2B 06 01 05 05 07 03 02 30 1D48 06 03 …+…0…

02F0: 55 1D 0E 04 16 04 14 77 B4 4D 46 B5 92 47 48 17 U…w.MF…GH.

0300: 91 6F 23 5F 46 61 56 7C 0C C1 C8 30 1F 06 03 55 .o#_FaV…0…U

0310: 1D 23 04 18 30 16 80 14 93 58 51 F7 1A 12 15 21 .#…0…XQ…!

0320: 9D 13 F8 90 18 22 47 5A BD 9E 2B 70 30 62 06 03 …"GZ…+p0b…

0330: 55 1D 1F 04 5B 30 59 30 57 A0 55 A0 53 86 51 68 U…[0Y0W.U.S 86 F7 0D 01 01 0B 05 00 30 78 …*.H…0x

.Qh

0340: 74 74 051070 73 3A 2F 2F 72 61 77 2E 67 69 74 68 75 ttps://raw.githu

0350: 62 75 73 65 72 63 6F 6E 74 65 6E 74 2E 63 6F 6D busercontent.com

0360: 31 13 30 11 06 0A 09 92 26 89 93 F2 2C 64 01 19 1.0…&…,d…

: 2F 66 6C 6F 72 61 67 75 6E 6E 630520 6F 6D 2F 75 6E /floragunncom/un

0370: 69 74 74 65 73 74 2D 61 73 73 65 74 73 2F 6D 61 ittest-assets/ma

0380: 73 74 65 72 2F 72 65 76 6F 6B 65 64 2E 63 72 6C : 16 03 63 6F 6D 31 18 30 ster/revoked.crl

0390: 30 41 06 03 55 1D 11 04 3A 30 38 82 1E 70 70 6A 0A…U…:08…ppj

03A0: 62 69 65 73 31 2E 73 65 72 76 69 63 65 73 2E 69 bies1.services.i

16 06 0A 09 92 26 89 93 03B0…com1.0…&…

0530: F2 2C 64 01 19 16 08 69 6E 67 65 6E 69 63 6F 31 .,d…ingenico1

0540: 11 30 0F 06 03 55 04 0A 0C 08 49 6E 67 65 6E 69 .0…U…Ingeni

0550: 63 6F 31 19 30 17 06 03 55 04 0B 0C 10 49 6E 67 co1.0…U…Ing

0560: 65 6E 69 63 6F 20 52 6F 6F 74 20 43 41 31 19 30 enico Root CA1.0

0570: 17 06 03 55 04 03 0C 10 49 6E 67 65 6E 69 63 6F …U…Ingenico

0580: 20 52 6F 6F 74 20 43 41 30 1E 17 0D 31 37 31 31 Root CA0…1711

0590: 32 32 31 36 31 39 34 38 5A 17 0D 32 37 31 31 32 22161948Z…27112

05A0: 32 31 36 31 39 34 38 5A 30 7E 31 13 30 11 06 0A 2161948Z0.1.0…

: 6E 67 65 6E 69 63 6F 2E 63 6F 6D 82 09 6C 6F 63 ngenico.com…loc

03C0: 61 6C 68 6F 73 74 87 04 AC 15 16 26 88 05 2A 03 alhost…&…*.

03D0: 04 05 05 30 0D 06 09 2A 86 48 86 F7 0D 01 01 0B …0…*05B0.H…

03E0: 05 00 03 82 01 01 00 89 17 4E 12 56 7F 43 5D 3C …N.V.C]<: 09 92 26 89 93 F2 2C 64 01

03F0: CE D9 F1 96 A5 68 ED 3E 1A E1 31 76 A7 5D 97 E8 …h.>…1v.]…

0400: 52 77 DA 3D F4 39 07 EB 2B 19 5E 78 32 B6 0D 02 Rw.=.9…+.^x2…

0410: 79 C4 00 C1 79 A4 02 84 B8 6D B8 6E CC 04 53 A4 y…y…m.n…S.

0420: D5 5E 80 20 D5 CC 37 39 A0 C2 47 29 5A 4A 08 28 .^. …79…G)ZJ.(

0430: 5B CD 7E 26 11 2E 30 43 16 64 36 69 42 8A E1 E2 [ 19 16 03 63 6F 6D 31 …&…,d…com1

05C0: 18 30 16 06 0A 09 92 26 89 93 F2 2C 64 01 19 16 .0…&…,d…

05D0: 08 69 6E 67 65 6E 69 63 6F 31 11 30 0F 06 03 55 .ingenico1.0…U

05E0: 04 0A 0C 08 49 6E 67 65 6E 69 63 6F 31 1C 30 1A …Ingenico1.0.

05F0: 06 03 55 04 0B 0C 13 49 6E 67 65 6E 69 63 6F 20 …U…Ingenico

0600: 53 69 67 6E 69 6E 67 20 43 41 31 1C 30 1A 06 03…&…0C.d6iB…

0440: 0C 4D BC 4E 63 57 06 82 C8 55 CA B1 85 57 CF D7 .M.NcW…U…W…

0450: C0 1C 43 55 F3 72 B6 29 C4 4A 64 88 4B 7F 25 A1 …CU.r.).Jd.K.%.

0460: 59 E9 FB A9 B2 B5 1D 73 70 30 CA 33 D7 F3 0F B1 Y…sp0.3…

0470: 3D 0C 71 F6 BA BA 22 EF F8 7C DE F0 31 41 Signing CA1.0…

0610: 55 04 03 0C 13 49 6E 67 65 6E 69 63 6F 20 53 69 U…Ingenico Si

0620: 67 6E 69 6E 67 20 43 41 30 82 01 22 30 0D 06 09 gning CA0…"0…

0630: 2A 86 48 86 F7 0D 01 01 01 05 00 03 82 01 0F 00 *.H…

0640: 30 82 01 0A 02 82 01 01 00 C9 38 24 AC 9F 51 53 0…8$…QS

0650: FE 46 D0 06 97 2A 68 55 68 F4 26 3A 0F 27 0E 6E A9 76 =.q…"…1A.v

0480: 8E 05 3D 03.F…*hUh.&:.’.n

0660: CB 2B CB D7 6D 7F D2 37 6B F8 6D 34 EA A9 BE 53 .+…m…7k.m4…S

0670: 04 11 09 C1 12 3F AA E2 17 F5 5F FA 4D EE 8042 89 …=…?.._.M…

0490: 8C 6F 27 24 A6 B2 0F 00 36 07 2F BA 62 B3 1A 0F .o’$…6./.b…

04A0: 93 5D 81 72 3B AB 42 A9 A4 81 B9 F0 EF 67 57 CD .].r;.B…gW.

04B0: EA C1 BE BF CB 20 DE E5 11 F3 35 62 58 F4 08 E1 … …5bX…

04C0: BC D6 B2 A6 DC 93 45 9F 79 6E DC F0 1B A8 CA 44 …E.yn…D

04D0: F6 86 0E DA 38 0D E1 B1 76 BB 47 0A 49 DA CF F2 … FA 5D 5D 4A CA 48 25 C3 F7 6C 37 …B.]]J.H%…l7

0680: 37 86 B0 70 22 3F BA F6 E9 D4 DA 2C DB 48 4F 48 7…p"?..,.HOH

0690: F0 9A CF AA 60 11 6D 4E 40 35 86 9C 15 8A 1E 3D …8…v.G.I…

04E0: E4 6E 8F E1 37 9C F8 00 03 DB 30 82 03 D7 30 82 .n…7…0…0.

04F0: 02 BF A0 03 02 01 02 02 01 02 30 0D 06 09 2A 86 …0…*.

0500: 48 86 F7 0D 01 01 0B.`.mN@5…= 05 00 30 78 31 13 30 11 06 H…0x1.0…

0510: 0A 09 92 26 89 93 F2 2C 64 01 19 16 03 63 6F 6D …&…,d…com

06A0: 25 CE B4 EF 10 4C C9 A6 82 47 3D AA 32 13 C3 9C %…L…G=.2…

06B0: 9A C8 29 BE 70 9F 20 B9 4B C9 26 01 CC DE 68 86 …).p. .K.&…h.

06C0: C1 87 D5 62 3D FD 9F 8D FE A7 09 F4 9E 0B A9 46 …b=…F

06D0: 31 E7 D8 E6 DA 97 5F 10 75 66 EA D6 AE 05 39 C6 1…_.uf…9.

06E0: FD 4A 78 44 58 7D F9 00 4A D7 2B 74 1B 3C 3E 06 .JxDX…J.+t.<>.

06F0: 34 A9 6C 80 78 84 74 E4 B5 14 5A 2A CA 02 46 65 4.l.x.t…Z*…Fe

0700: C1 26 90 63 05 5C 71 29 FE 29 2C 0D F3 73 2E 46 .&.c.\q).),…s.F

0710: 8D AA 4A 3B 1D 1F 8D 0C AE D1 97 83 C3 F6 2E 49 …J;…I

0720: 08 2F 91 0B 5A AF A9 A5 A9 7D CE 3D 4D 4B A9 4A ./…Z…=MK.J

0730: C9 26 71 4C 3C 9C 5E A7 5C 25 CB FA 7D 11 53 E7 .&qL<.^.%…S.

0740: F7 4E AA 79 DC 78 1E CD 9B 02 03 01 00 01 A3 66 .N.y.x…f

0750: 30 64 30 0E 06 03 55 1D 0F 01 01 FF 04 04 03 02 0d0…U…

0760: 01 06 30 12 06 03 55 1D 13 01 01 FF 04 08 30 06 …0520: 31 18 30 16 06 0A 09 92 26 89 93 F2 2C 64 01 19 1.0…&…,d…

0530: 16 08 69 6E 67 65 6E 69 63 6F 31 11 30 0F 06 03 …ingenico1.0…

0540: 55 04 0A 0C 08 49 6E 67 65 6E 69 63 6F 31 19 30 U…Ingenico1.0

0550: 17 06 03 55 04 0B 0C 10 49 6E 67 65 6E 69 63 6F …0.U…Ingenico

0560: 20 52 6F 6F 74 20 43 41 31 19 30 17 06 03 55 04 Root CA1.0…U.

0570: 03 0C 10 49 6E 67 65 6E 69 63 6F 20 52 6F 6F 74 …Ingenico Root

0580: 20 43 41 30 1E 17 0D 31 37 31 31 32 32 31 36 31 CA0…171122161

…U…0.

0770: 01 01 FF 02 01 00 30 1D 06 03 55 1D 0E 04 16 04 …0…U…

0780: 14 93 58 51 F7 1A 12 15 21 9D 13 F8 90 18 22 47 …XQ…!.."G

0790: 5A BD 9E 2B 70 30 1F 06 03 55 1D 23 04 18 30 16 Z…+p0…U.#…0.

07A0: 80 14 0E 89 24 A6 59 CB F2 62 5B FA BA 41 24 3C ….Y..b[..A<

07B0: AF 81 23 11 31 8B 30 0D 06 09 2A 86 48 86 F7 0D …#.1.0…*.H…

07C0: 01 01 0B 05 00 03 82 01 01 00 02 32 49 FB 25 7C …2I.%.

07D0: 47 CC 17 38 5B 00 F8 D6 5E D7 2F FA E6 BC 4B 81 G…8[…^./…K.

07E0: B7 1A 91 8F 38 AD DA 5B 54 DF 13 DB 56 9B 51 CC …8…[T…V.Q.

07F0: 0A C8 F4 07 EF 53 95 94 DD 98 9F EB A2 FE 09 7D …S…

0800: E5 23 F6 B5 B5 B2 0D 59 71 66 B1 64 A5 3A 59 C9 .#…Yqf.d.:Y.

0810: 44 7F 01 B7 AE 5E F3 E1 79 08 24 BB C9 CA AC 5F D…^…y.$…_

0820: BD B4 D5 76 36 3D CA 07 0E 39 02 8D 23 84 FA 80 …v6=…9…#…

0830: 2C A5 74 2D B2 36 DF CA E5 F9 8C 90 C1 CD 7F 3A ,.t-.6…:

00840: 0D 85 54 D9 E9 77 93 D6 590 : 39 34 38 5A 17 0D 32 37 31 31 32 32 31 36 31 39 948Z…2711221619

05A0: 34 38 5A 30 7E 31 13 30 11 06 0A 09 92 26 89 93 48Z0.1.0…&…

05B0: F2 2C 64 01 19 16 03 63 6F 6D 31 18 30 16 06 0A .,d…com1.0…

05C0E8: 09 92 26 89 93 F2 2C 64 01 19 16 08 69 6E 67 65 …&…,d…inge

05D0: 6E 69 63 6F 31 11 30 0F 06 03 55 04 0A 0C 08 49 nico1.0…U…I

05E0: 6E 67 65 6E 69 63 6F 31 1C 30 1A 06 03 55 04 0B ngenico1.0…U…

05F0: 0C 13 49 6E 67 65 6E 69 63 6F 20 53 69 67 6E 69 D4 41 F1 A9 93 6B 03 …T…w…A…k.

0850: E5 C0 91 3B 3C 9C 4C B6 21 ED 2D C7 20 9A D4 CC …;<.L.!.-. …Ingenico Signi

0600: 6E 67 20 43 41 31 1C 30 1A 06 03 55 04 03 0C 13 ng CA1.0…U…

0610: 49 6E 67 65 6E 69 63 6F 20 53 69 67 6E 69 6E 67 Ingenico Signing

0620: 20 43 41 30 82

0860: 22 23 01 6D 01 22 30 96 B4 3C 8F 78 25 7E ED 4A DA 14 BC "# 0D 06 09 2A 86 48 86 F7 CA0…"0…*.H…

0630: 0D 01 01 01 05 00 03 82 01 0F 00 30 82 01 0A 02 …0…

0640: 82 01 01 00 C9 38 24 AC 9F 51 53 FE 46 D0 06 97 …8$…QS.F…

0650: 2A 68 55 68 F4 26 3A 0F 27 0E 6E CB 2B CB D7 6D *hUh.&:.’.n.+…m

0660: 7F D2 37 6B F8 6D 34 EA .m…<.x%…J…

0870: 9C 7D 4C BF 94 60 82 BB BC 53 AC 00 2B 50 45 74 A9…L…`…S…+PEt

0880: F2 71 4D BF 7F B9 CF 96 27 CC D2 27 E2 37 CE 84 .qM…’…’.7…

0890: 0D 7F F2 3E E6 06 63 5A E6 71 1F 08 14 B4 C4 A4 …>…cZ.q…

08A0: E0 F0 9E CB AA 10 FF BA 63 95 96 BD 13 25 5B 3D …c…%[=

08B0: D5 51 FF 76 00 3E 57 84 30 EC AC B3 7D 02 07 D2 .Q.v.>W.0…

08C0: 93 5A 00 D4 B0 E9 97 86 9A 23 0C 00 01 49 03 00 .Z… BE 53 04 11 09 C1 42 …7k.m4…S…B

0670: FA 5D 5D 4A CA 48 25 C3 F7 6C 37 37 86 B0 70 22 .]]J.H%…l77…p"

0680…#…I…

08D0: 17 41 04 17 F0 E9 F0 D9 ED 60 8B 0C 3A B9 26 06 .A…: 3F BA F6 E9 D4 DA 2C DB 48 4F 48 F0 9A CF AA 60 .`…:.&.

08E0: CF 38 39 4C A0 E9 0E 20 99 FE 2A 60 00 31 18 0B .89L… …*`.1…

08F0: 15 45 6D EA 12 B2 F6 8D E9 55 9C EC C1 05 F4 4F .Em…U…O

0900: 46 E5 16 63 60 BD 5B BC ?..,.HOH…`

0690: 11 6D 4E 40 35 86 9C 15 8A 1E 3D 25 CE B4 EF 10 .mN@5…=%…

06A0: 4C C9 A6 82 47 3D AA 32 13 C3 9C 9A C8 29 BE 70 L…G=.2…).p

06B0: 9F 20 B9 4B C9 26 01 CC DE 68 86 C1 87 D5 62 3D . .K.&…h…b=

06C0: FD 9F 8D FE A7 09 F4 9E 0B A9 46 31 E7 D8 E6 DA …F1…

06D0: 97 5F 10 75 66 EA D6 AE 05 39 C6 FD 4A 78 44 58 ._.uf…9…JxDX

06E0: 7D F9 00 4A D7 2B 74 1B 3C 3E 06 34 A9 6C 80 78 93 3C D2 3C 9B 69 73 93 F…c`.[…<.<.is.

0910: 8A 33 4F 06 01 01 00 81 66 29 2B D9 A0 A4 D3 1F .3O…f)+…

0920: 4D 14 24 E7 10 FC EB 1D 95 B0 11 39 F2 A1 FA 43 M.$…9…C

0930: AF 91 C9 E5 E9 42 21 A4 AF A9 3B 4A 6B 2C 16 0B …B!..;Jk,…

0940: E0 2D 84 8E 51 5E C7 CA FB EA 89 DF FC 08 1F F5 .-…Q^. …J.+t.<>.4.l.x

06F0: 84 74 E4 B5 14 5A 2A CA 02 46 65 C1 26 90 63 05 .t…Z*…Fe.&.c.

0700: 5C 71 29 FE 29 2C 0D F3 73 2E 46 8D AA 4A 3B 1D \q).),…s.F…J;…

0950: 39 38 EF 9E DB A5 DD FB A1 61 E3 A0 6D F2 71 D5 98…a…m.q.

0960: 94 C9 D9 AF F5 E6 1A C1 0C 46 97 D9 35 85 34 30 …F…5.40

0970: 18 0C 36 A5 CD C5 B4 D0 42 B9 0C 77 95 C1 5D E3 …6…B…w…].

0980: 96

0710: 1F 8D 0C AE D1 97 83 C3 F6 2E 49 08 2F 91 0B 5A …E3…I./…Z

0720: AF A9 A5 A9 7D CE 3D 4D 4B A9 4A C9 26 71 4C 3C …=MK.J.&qL<

0730: 9C 5E A7 5C 25 CB FA 7D 11 53 E7 F7 4E AA 79 DC .^.%…S…N.y.

0740: 78 1E CD 9B 02 03 01 00 01 A3 66 30 64 30 0E 06 x…f0d0…

0750: 03 55 1D 0F 01 01 FF 04 04 03 02 01 06 30 12 06 .U…0…

0760: 03 55 1D 13 01 01 FF 04 08 30 06 01 01 FF 02 01 D8 00 53 A1 E3 98 4A 94 69 FA 13 65 9A 42 …S…J.i…e.B

0990: B3 AC BF 13 12 29 B9 8E 0A 7E EC AE 3B 63 C7 F2 …) .U…0…;c…

09A0: 64 D7 77 BC 7D 6E 1B A8 3F 69 62 D7 77

0770: 00 30 1D 06 03 55 1D 0E 04 16 04 14 93 58 51 F7 .0…U…XQ.

0780: 1A 12 15 21 9D 13 F8 90 18 22 47 5A BD 3A C5 FD d.w…n…?ib.w:…

09B0: 48 94 BA 01 CA B3 52 F9 9E 2B 70 …!.."GZ 49 38 0D E7 95 C1 7A D3 H…R.I8…z.

…+p

0790: 30 1F 06 03 55 1D 23 04 18 30 16 80 14 0E 89 24 0…U.#…0…$

07A0: A6 59 CB F2 62 5B FA BA 41 24 3C AF 81 23 11 31 .Y…b[…A$<…#.1

07B0: 8B 30 0D 06 09 2A 86 48 86 F7 0D 01 01 0B 05 00 .0…*.H…

07C0: 03 82 01 01 00 02 32 49 FB 25 7C 47 CC 17 38 5B …2I.%.G…8[

07D0: 00 F8 D6 5E D7 2F FA E6 BC 4B 81 B7 1A 91 8F 38 …^./…K…8

07E0: AD DA 5B 54 DF 13 DB 56 9B 51 CC 0A C8 F4 07 EF …[T…V.Q09C0…

07F0: 53 95 94 DD 98 9F EB A2 FE 09 7D E5 23 F6 B5 B5 S…#…

0800: B2 0D 59 71 66 B1 64 A5 3A 59 C9 44 7F 01 B7 AE …Yqf.d.:Y.D…

0810: 5E F3 E1 79 08 24 BB C9 CA AC 5F BD B4 D5 76 36 ^…y.$…_…v6

0820: 3D CA 07 0E 39 02 8D 23 84 FA 80 2C A5 74 2D B2 =…9…#…,.t-.

0830: 36 DF CA E5 F9 8C 90 C1 CD 7F 3A 0D 85 54 D9 E9 6…:…T…

: 69 5A 7C 4E 06 DF 25 54 0840 49 BB B7 6E A4 34 F7 42 iZ.N…%TI…n.4.B

09D0: 7B 5E 67 5A 5C 16 45 F0 E4 3A B9 C6 52 EB 73 2C .^gZ.E…:…R.s,

09E0: 3D 14 B5 FC A3 AC EC 20 14 A0 C7 AB B0 22 CC F6 =… …"…

09F0: A3 F9 96 20 93 B0 E6 AA 68 D6 F3 3E 96 D3 02 1E … …h…>…: 77 93 D6 E8 D4 41…

0A00: 44 58 5E A8 17 17 F8 5B F1 A9 93 6B 03 E5 C0 91 3B 3C w… DF 6E 2F 9A F8 A8 4D 3F DX^…[.n/…M?

0A10: 5F 8A CD A9 D7 6F BD 0D 00 00 F0 03 01 02 40 00 _…o…@.

0A20: 1A 06 03 06 01 05 03 05 01 04 03 04 01 04 02 03 …

0A30: 03 03 01 03 02 02 03 02 01 02 02 00 CE 00 7A 30 …A…k…;<

0850: 9C 4C B6 21 ED 2D C7 20 9A D4 CC 22 23 01 6D 96 .L.!.-. …"#.m.

0860: B4 3C 8F 78 25 7E ED 4A DA 14 BC 9C 7D 4C BF 94 .<.x%…J…L…

0870: 60 82 BB BC 53 AC 00 2B 50 45 74 F2 71 4D BF 7F `…S…+PEt.qM…

0880: B9 CF 96 27 CC D2 27 E2 37 CE 84 0D 7F F2 3E E6 …’…’.7…>.

0890: 06 63 5A E6 71 1F 08 14 B4 C4 A4 E0 F0 9E CB AA .cZ.q…

08A0: 10 FF BA 63 95 96 BD 13 25 5B 3D D5 51 FF 76 00 …c…%[=.Q…z0

0A40: 78 31 13 30 11 06 0A 09 92 26 89 93 F2 2C 64 01 x1.0…&…,d.

0A50: 19 16 03 63 6F 6D 31 18 30 16 06 0A 09 92 26 89.v.

08B0: 3E 57 84 30 EC AC B3 7D 02 07 D2 93 5A 00 D4 B0 >W.0…Z…

08C0: E9 97 86 9A 23 0C 00 01 49 03 00 17 41 04 D1 27 …#…I…A…’

08D0: 7C DD CB DF EB D9 6F B1 9F E6 17 B9 0A 11 B3 65 …o…e

08E0: 99 2D 57 E6 7F 41 17 F5 E5 45 72 DE AA CE 7B 3C .-W…A…Er…<

08F0: 91 D4 EB C8 B6 79 56 D0 DD 83 B1 08 76 86 48 D0 …yV…v.H.

…com1.0…&.

09000A60: 93 F2 2C 64 01 19 16 08 69 6E 67 65 6E 69 63 6F …,d…ingenico: 3E 65 0F DF 55 3C 18 18 2F A1 2F B4 7F DF 06 01 >e…U<…/./…

0910: 01 00 7F FD 35 55 01 64 21 1A B1

0A70: 31 11 30 0F 06 03 55 04 0A 0C 08 49 6E 67 65 6E 1.0…U…Ingen

0A80: 69 63 6F 31 19 30 17 06 03 55 04 0B 0C 10 49 6E ico1.0…U…In

0A90: 67 65 6E 69 63 6F 20 52 6F 6F 74 20 43 41 31 19 genico Root CA1.

0AA0 C6 D6 D3 BF 79 : 30 17 06 03 55 04 03 0C 10 49 6E 67 65 6E 69 63 0…U… …5U.d!..Ingenic

0AB0: 6F 20 52 6F 6F 74 20 43 41 00 50 30 4E 31 0B 30 o Root CA.P0N1.0

0AC0: 09 06 03 55 04 06 13 02 46 52 31 0F 30 0D 06 03 …U…FR1.0…

0AD0: 55 04 07 13 06 46 72 61 6E 63 65 31 11 30 0F 06 U…France1.0…

0AE0: 03 55 04 0A 13 08 49 6E …y

0920: F6 1F 6B CD EA 2F 95 A0 39 B2 14 26 F2 AD 60 A8 …k…/…9…&…`.

0930: 27 42 08 0E 96 A3 FA 21 31 C8 00 AC 54 0D 59 73 'B…!1…T.Ys

0940: 56 F1 B7 D8 67 9F CD 2F 04 69 86 95 FB A1 D4 38 V…g…/.i…8

0950: 2E 66 5D 4C 90 34 02 9B 67 65 6E 69 63 6F 31 0C .U…Ingenico1.

0AF0: 30 0A 06 03 55 04 0B 13 03 41 50 4F 31 0D 30 0B 0…U…APO1.0.

0B00: 06 03 55 04 03 13 04 6A 69 72 61 0E 00 00 00 …U…jira…

elasticsearch[ppjbies1][[transport_server_worker.default]][T#5], called closeOutbound()

elasticsearch[ppjbies1][[transport_server_worker.default]][T#5], closeOutboundInternal()

elasticsearch[ppjbies1][[transport_server_worker.default]][T#5], SEND TLSv1.2 ALERT: warning, description = close_notify

Padded plaintext before ENCRYPTION: len = 64

0000: 0E 89 FD D4 76 1B 81 11 05 B9 37 2F 95 BB 16 4C …v…7/…L

0010: 01 00 B7 DF 62 50 74 A5 39 30 21 82 32 4F F4 32 …bPt.90!.2O.2

0020: 85 C1 72 EF 43 6A 8A 8A 0C 76 C6 0D EC E2 DE A8 …r.Cj…v…

0030: 0B 4F 0D 0D 0D 0D 0D 0D 0D 0D 0D 0D 0D 0D 0D 0D .O…

elasticsearch[ppjbies1][[transport_server_worker.default]][T#5], WRITE: TLSv1.2 Alert, length = 64

[Raw write]: length = 69

0000: 15 03 03 00 40 C8 D5 02 DC EA D8 9A DF E7 81 3F …@…?

0010: E8 73 76 5E 25 6E 14 C2 CE 78 48 E1 DC CE BB B9 .sv^%n…xH…

0020: D6 96 2E 14 4B 89 80 67 D1 B3 6B 17 6D D3 07 32 …K…g…k.m…2

0030: 45 A4 5C F7 EA 98 59 25 94 B0 03 BD 57 A1 FE 8E E…Y%…W…

0040: 0A BD 6D 57 66 …mWf

E3 ED B0 AE BC 1E 1A 49 .f]L.4…I

0960: 92 47 61 AC 52 B6 F4 D9 62 CD 93 4F 40 4D 19 9B .Ga.R…b…O@M…

0970: AF 70 17 94 C0 90 28 82 6F 3C 30 48 22 75 5F 0C .p…(.o<0H"u_.

0980: 24 6B D9 37 E2 78 28 6D 53 2A 02 A5 D6 24 3D 79 k.7.x(mS*...=y

0990: 42 39 A0 42 E8 5A 4D A4 6F 48 F0 19 19 CB B0 53 B9.B.ZM.oH…S

09A0: 30 38 95 87 BD 9D B9 4A 67 7F E9 2D 34 8A 40 8A 08…Jg…-4.@.

09B0: DD BE 97 63 48 FE 70 10 7B 05 CA 42 0A F8 ED 77 …cH.p…B…w

09C0: C4 74 56 FA 1C E3 C5 66 06 6E 1A C6 1B DA 63 37 .tV…f.n…c7

09D0: 3E 41 AA FD 37 9D 00 AF 72 5F 08 E2 FB D9 DE A5 >A…7…r_…

09E0: 86 86 93 5F BD 14 70 3D 6F 88 E0 37 A6 CE F0 6B …_…p=o…7…k

09F0: 5B 6F 82 5A 42 75 94 89 0A 47 CA C1 DE B0 94 B6 [o.ZBu…G…

0A00: 80 5A 64 5D 0E D8 3B DF 89 FE FE CC AE 4E 4C 55 .Zd]…;…NLU

0A10: 3E 5D 0D 00 00 F0 03 01 02 40 00 1A 06 03 06 01 >]…@…

0A20: 05 03 05 01 04 03 04 01 04 02 03 03 03 01 03 02 …

0A30: 02 03 02 01 02 02 00 CE 00 7A 30 78 31 13 30 11 …z0x1.0.

0A40: 06 0A 09 92 26 89 93 F2 2C 64 01 19 16 03 63 6F …&…,d…co

0A50: 6D 31 18 30 16 06 0A 09 92 26 89 93 F2 2C 64 01 m1.0…&…,d.

0A60: 19 16 08 69 6E 67 65 6E 69 63 6F 31 11 30 0F 06 …ingenico1.0…

0A70: 03 55 04 0A 0C 08 49 6E 67 65 6E 69 63 6F 31 19 .U…Ingenico1.

0A80: 30 17 06 03 55 04 0B 0C 10 49 6E 67 65 6E 69 63 0…U…Ingenic

0A90: 6F 20 52 6F 6F 74 20 43 41 31 19 30 17 06 03 55 o Root CA1.0…U

0AA0: 04 03 0C 10 49 6E 67 65 6E 69 63 6F 20 52 6F 6F …Ingenico Roo

0AB0: 74 20 43 41 00 50 30 4E 31 0B 30 09 06 03 55 04 t CA.P0N1.0…U.

0AC0: 06 13 02 46 52 31 0F 30 0D 06 03 55 04 07 13 06 …FR1.0…U…

0AD0: 46 72 61 6E 63 65 31 11 30 0F 06 03 55 04 0A 13 France1.0…U…

0AE0: 08 49 6E 67 65 6E 69 63 6F 31 0C 30 0A 06 03 55 .Ingenico1.0…U

0AF0: 04 0B 13 03 41 50 4F 31 0D 30 0B 06 03 55 04 03 …APO1.0…U…

0B00: 13 04 6A 69 72 61 0E 00 00 00 …jira…

elasticsearch[ppjbies1][[transport_server_worker.default]][T#7], WRITE: TLSv1.2 Handshake, length = 2826

[Raw write]: length = 2831

0000: 16 03 03 0B 0A 02 00 00 4D 03 03 5A 18 1B F9 C5 …M…Z…

0010: 14 F0 AB 83 9B EF 65 7D DF 07 F2 53 66 ED 4B 70 …e…Sf.Kp

0020: B4 D5 48 19 8F 6E 4F B9 16 3D E5 20 5A 18 1B F9 …H…nO…=. Z…

0030: 62 D1 DA 82 51 FB E9 2A 89 3B E6 DC 82 49 AA CD b…Q…*.;…I…

0040: 9C 7B 1C 73 A7 AD 12 34 00 A6 DB 0A C0 27 00 00 …s…4…’…

0050: 05 FF 01 00 01 00 0B 00 08 70 00 08 6D 00 04 8C elasticsearch[ppjbies1][[transport_server_worker.default]][T#5], called closeOutbound()

elasticsearch[ppjbies1][[transport_server_worker.default]][T#5], closeOutboundInternal()

elasticsearch[ppjbies1][[transport_server_worker.default]][T#5], SEND TLSv1.2 ALERT: warning, description = close_notify

…p…m…

0060: 30 82 04 88 30 82 03 70 A0 03 02 01 02 02 01 02 0…0…p…

0070: 30 0D 06 09 2A 86 48 86 F7 0D 01 01 0B 05 00 30 0…*.H…0

0080: 7E 31 13 30 11 06 0A 09 92 26 89 93 F2 2C 64 01 .1.0…&…,d.

0090: 19 16 03 63 6F 6D 31 18 30 16 06 0A 09 92 26 89 …com1.0…&.

00A0: 93 F2 2C 64 01 19 16 08 69 6E 67 65 6E 69 63 6F …,d…ingenico

00B0: 31 11 30 0F 06 03 55 04 0A 0C 08 49 6E 67 65 6E 1.0…U…Ingen

00C0: 69 63 6F 31 1C 30 1A 06 03 55 04 0B 0C 13 49 6E ico1.0…U…Padded plaintext before ENCRYPTION: len = 64

…In

00D0: 67 65 6E 69 63 6F 20 53 69 67 6E 69 6E 67 20 43 0000 genico Signing C

00E0: 41 31 1C 30 1A 06 03 55 04 03 0C 13 49 6E 67 65 A1.0…U…Inge

00F0: 6E 69 63 6F 20 53 69 67 6E 69 6E 67 20 43 41: 08 46 54 32 6E 92 38 A0 00 45 D2 15 0C 13 B8 70 .FT2n.8…E…p

0010: 01 00 04 AF 30 nico Signing CA0

2A EB EB 64 BE BC 1F EF 66 18 B2 9C …*…d…f…0100

0020: DB 75 7F 70 91 75 96 13 : 1E 17 0D 31 37 31 31 32 32 31 36 31 39 35 31 5A 76 38 65 04 F3 B4 F5 43 .u.p.u…v8e…C

0030: BE 4D 0D 0D 0D 0D 0D 0D 0D 0D 0D 0D 0D 0D 0D 0D .M…

…171122161951Z

0110: 17 0D 31 39 31 31 32 32 31 36 31 39 35 31 5A 30 …191122161951Z0

0120: 68 31 0Belasticsearch[ppjbies1][[transport_server_worker.default]][T#5], WRITE: TLSv1.2 Alert, length = 64

30 09 06 03 55 04 06 13 02 46 52 31 0F h1.0…U…FR1.

0130: 30 0D 06 03 55 04 07 13 06 46 72 61 6E 63 65 31 0[Raw write]: length = 69

…U…France10000

0140: 11 30 0F 06 03 55 04 0A 13 08 49 6E 67 65 6E 69 .0…U…Ingeni

0150: 63 6F 31 0C 30 0A 06 03 55 04 0B 13 03 41 50 4F co1.0…U…APO

0160: 31 27 30 25 06 03 55 04 03 13 1E 70 70 6A 62 69 1’0%…U…ppjbi

0170: 65 73 31 2E 73 65 72 76 69 63 65 73 2E 69 6E 67 es1.services.ing

0180: 65 6E 69 63 6F 2E 63 6F 6D 30 82 01 22 30 0D 06 enico.com0…"0…

0190: 09 2A 86 48 86 F7 0D 01 01 01 05 00 03 82 01 0F .*.H…

01A0: 00 30 82 01 0A 02 82 01 01 00 8F 1A 0B C4 67 3F .0…g?

01B0: BC 37 24 27 1F 3A 31 60 30 03 8A BE 26 FE 5E 38 .7$’.:1`0…&.^8

01C0: 94 5F A8 48 54 F6 BC 21 FB 23 13 E9 AF 96 0A 6A ._.HT…!.#…j

01D0: A2 CE A2 40 03 7D 2B 5E 2F 59 03 6A AA A5 E5 8C …@…+^/Y.j…

01E0: 21 0E 70 CC D4 9C 44 B9 1E 54 57 E1 F9 DC 7E AC !.p…D…TW…

01F0: F0 3B 43 0F 5A B5 D4 55 89 24 9D 83 E3 3C C2 89 .;C.Z…U.$…<…

0200: 08 E3 54 55 2F 20 CD C8 03 DC 32 C6 FE 37 88 06 …TU/ …2…7…

0210: C4 DD B8 EC AB 2C F4 0C ED CF 9C 94 4C 1F 85 C8 …,…L…

0220: FD 7E 1F 3E F0 6D 33 DB E3 06 A2 CB 87 09 DA 95 …>.m3…

0230: 3B BB EB 19 B8 C3 CC 50 0C E6 EA D4 63 B5 22 8F ;…P…c.".

0240: 26 4B 56 9B 50 3D E5 96 6A 57 8E 71 31 B6 21 DE &KV.P=…jW.q1.!.

0250: 2B 4B 37 45 A6 5A A8 ED C3 8D E4 1D FF 76 0B CD +K7E.Z…v…

0260: 5E 79 C5 E5 55 13 01 AA 2B 59 43 C3 D0 A2 94 A6 ^y…U…+YC…

0270: 4F A6 F7 5F C8 35 04 8E E2 65 9F 27 4D 45 93 52 O…_.5…e.'ME.R

0280: DF 22 A2 B8 B7 B1 BE 30 30 CC A0 4C 0E 04 32 F2 ."…00…L…2.

0290: 21 86 AA 54 44 A3 AB 65 A6 26 57 3E 92 7D 57 40 !..TD…e.&W>…W@

02A0: B3 55 4A 68 F7 17 66 56 4B 61 02 03 01 00 01 A3 .UJh…fVKa…

02B0: 82 01 25 30 82 01 21 30 0E 06 03 55 1D 0F 01 01 …%0…!0…U…

02C0: FF 04 04 03 02 05 A0 30 09 06 03 55 1D 13 04 02 …0…U…

02D0: 30 00 30 1D 06 03 55 1D 25 04 16 30 14 06 08 2B 0.0…U.%…0…+

02E0: 06 01 05 05 07 03 01 06 08 2B 06 01 05 05 07 03 …+…

02F0: 02 30 1D 06 03 55 1D 0E 04 16 04 14 77 B4 4D 46 .0…U…w.MF

0300: B5 92 47 48 17 91 6F 23 5F 46 61 56 7C 0C C1 C8 …GH…o#_FaV…

0310: 30 1F 06 03 55 1D 23 04 18 30 16 80 14 93 58 51 0…U.#…0…XQ

0320: F7 1A 12 15 21 9D 13 F8 90 18 22 47 5A BD 9E 2B …!.."GZ…+

0330: 70 30 62 06 03 55 1D 1F 04 5B 30 59 30 57 A0 55 p0b…U…[0Y0W.U

0340: A0 53 86 51 68 74 74 70 73 3A 2F 2F 72 61 77 2E .S.Qhttps://raw.

0350: 67 69 74 68 75 62 75 73 65 72 63 6F 6E 74 65 6E githubuserconten

0360: 74 2E 63 6F 6D 2F 66 6C 6F 72 61 67 75 6E 6E 63 t.com/floragunnc

0370: 6F 6D 2F 75 6E 69 74 74 65 73 74 2D 61 73 73 65 om/unittest-asse

0380: 74 73 2F 6D 61 73 74 65 72 2F 72 65 76 6F 6B 65 ts/master/revoke

0390: 64 2E 63 72 6C 30 41 06 03 55 1D 11 04 3A 30 38 d.crl0A…U…:08

03A0: 82 1E 70 70 6A 62 69 65 73 31 2E 73 65 72 76 69 …ppjbies1.servi

03B0: 63 65 73 2E 69 6E 67 65 6E 69 63 6F 2E 63 6F 6D ces.ingenico.com

03C0: 82 09 6C 6F 63 61 6C 68 6F 73 74 87 04 AC 15 16 …localhost…

03D0: 26 88 05 2A 03 04 05 05 30 0D 06 09 2A 86 48 86 &……0….H.

03E0: F7 0D 01 01 0B 05 00 03 82 01 01 00 89 17 4E 12 …N.

03F0: 56 7F 43 5D 3C CE D9 F1 96 A5 68 ED 3E 1A E1 31 V.C]<…h.>…1

0400: 76 A7 5D 97 E8 52 77 DA 3D F4 39 07 EB 2B 19 5E v.]…Rw.=.9…+.^

0410: 78 32 B6 0D 02 79 C4 00 C1 79 A4 02 84 B8 6D B8 x2…y…y…m.

0420: 6E CC 04 53 A4 D5 5E 80 20 D5 CC 37 39 A0 C2 47 n…S…^. …79…G

0430: 29 5A 4A 08 28 5B CD 7E 26 11 2E 30 43 16 64 36 )ZJ.([…&…0C.d6

0440: 69 42 8A E1 E2 0C 4D BC 4E 63 57 06 82 C8 55 CA iB…M.NcW…U.

0450: B1 85 57 CF D7 C0 1C 43 55 F3 72 B6 29 C4 4A 64 …W…CU.r.).Jd

0460: 88 4B 7F 25 A1 59 E9: 15 03 03 00 40 B1 AA 4D 6D 9B 8D 1C 14 D9 AC 10 FB A9 B2 B5 1D 73 70 30 CA .K.%.Y…sp0.

0470: 33 D7 F3 0F B1 3D 0C 71 F6 BA BA 22 EF F8 7C DE …@. 3…=.q…"…

0480: F0 31 41 A9 76 8E 05 3D 03 12 3F AA E2 17 F5 5F .1A.v…=…?.._

0490: FA 4D EE 80 89 8C 6F 27 24 A6 B2 0F 00 36 07 2F .M…o’$…6./

04A0: BA 62 B3 1A 0F 93 5D 81 72 3B AB 42 A9 A4 81 B9 .b…].r;.B…

04B0: F0 EF 67 57 CD EA C1 BE BF CB 20 DE E5 11 F3 35 .Mm… …gW… …5

04C0: 62 58 F4 08 E1 BC D6 B2 A6 DC 93 45 9F 79 6E DC bX…E.yn.

04D0: F0 1B A8 CA 44 F6 86 0E DA 38 0D E1 B1 76 BB 47 …D…8…v.G

04E0: 0A 49 DA CF F2 E4 6E 8F E1 37 9C F8 00 03 DB 30 .I…n…7…0

04F0: 82 03 D7 30 82 02 BF A0 03 02 01 02 02 01 02 30 …0…0

0500: 0D 06 09 2A 86 48 86 F7 0D 01 01 0B 05 00 30 78 …*.H…0x

0510: 31 13 30 11 06 0A 09 92 26 89 93 F2 2C 64 01 19 1.0…&…,d…

0520: 16 03 63 6F 6D 31 18 30

0010: 9C 5B D1 AE 70 0A 61 FC 16 06 0A 09 92 26 89 93 …com1.0…&…

0530: F2 2C 64 01 19 16 08 69 6E 67 65 6E 69 63 6F 31 .,d…ingenico1

C3 04 F3 ED C8 92 0C 0E .[…p.a…

0020: FB C0 34 7B FE A6 98 AC 68 77 AD 6B 91 0F 08 7D …4…hw.k…

0030: 6A 1F EC E3 8A 30 CB E6 3F BC FB E7 4B 7D 57 FD j…0…?..K.W.

0040: B2 3B 16 B4 3A .;…:

0540: 11 30 0F 06 03 55 04 0A 0C 08 49 6E 67 65 6E 69 .0…U…Ingeni

0550: 63 6F 31 19 30 17 06 03 55 04 0B 0C 10 49 6E 67 co1.0…U…Ing

0560: 65 6E 69 63 6F 20 52 6F 6F 74 20 43 41 31 19 30 enico Root CA1.0

0570: 17 06 03 55 04 03 0C 10 49 6E 67 65 6E 69 63 6F …U…Ingenico

0580: 20 52 6F 6F 74 20 43 41 30 1E 17 0D 31 37 31 31 Root CA0…1711

0590: 32 32 31 36 31 39 34 38 5A 17 0D 32 37 31 31 32 22161948Z…27112

05A0: 32 31 36 31 39 34 38 5A 30 7E 31 13 30 11 06 0A 2161948Z0.1.0…

05B0: 09 92 26 89 93 F2 2C 64 01 19 16 03 63 6F 6D 31 …&…,d…com1

05C0: 18 30 16 06 0A 09 92 26 89 93 F2 2C 64 01 19 16 .0…&…,d…

05D0: 08 69 6E 67 65 6E 69 63 6F 31 11 30 0F 06 03 55 .ingenico1.0…U

05E0: 04 0A 0C 08 49 6E 67 65 6E 69 63 6F 31 1C 30 1A …Ingenico1.0.

05F0: 06 03 55 04 0B 0C 13 49 6E 67 65 6E 69 63 6F 20 …U…Ingenico

0600: 53 69 67 6E 69 6E 67 20 43 41 31 1C 30 1A 06 03 Signing CA1.0…

0610: 55 04 03 0C 13 49 6E 67 65 6E 69 63 6F 20 53 69 U…Ingenico Si

0620: 67 6E 69 6E 67 20 43 41 30 82 01 22 30 0D 06 09 gning CA0…"0…

0630: 2A 86 48 86 F7 0D 01 01 01 05 00 03 82 01 0F 00 *.H…

0640: 30 82 01 0A 02 82 01 01 00 C9 38 24 AC 9F 51 53 0…8$…QS

0650: FE 46 D0 06 97 2A 68 55 68 F4 26 3A 0F 27 0E 6E .F…*hUh.&:.’.n

0660: CB 2B CB D7 6D 7F D2 37 6B F8 6D 34 EA A9 BE 53 .+…m…7k.m4…S

0670: 04 11 09 C1 42 FA 5D 5D 4A CA 48 25 C3 F7 6C 37 …B.]]J.H%…l7

0680: 37 86 B0 70 22 3F BA F6 E9 D4 DA 2C DB 48 4F 48 7…p"?..,.HOH

0690: F0 9A CF AA 60 11 6D 4E 40 35 86 9C 15 8A 1E 3D …`.mN@5…=

06A0: 25 CE B4 EF 10 4C C9 A6 82 47 3D AA 32 13 C3 9C %…L…G=.2…

06B0: 9A C8 29 BE 70 9F 20 B9 4B C9 26 01 CC DE 68 86 …).p. .K.&…h.

06C0: C1 87 D5 62 3D FD 9F 8D FE A7 09 F4 9E 0B A9 46 …b=…F

elasticsearch[ppjbies1][[transport_server_worker.default]][T#5], called closeOutbound()

elasticsearch[ppjbies1][[transport_server_worker.default]][T#5], closeOutboundInternal()

06D0: 31 E7 D8 E6 DA 97 5F 10 75 66 EA D6 AE 05 39 C6 1…_.uf…9.

06E0: FD 4A 78 44 58 7D F9 00 4A D7 2B 74 1B 3C 3E 06 .JxDX…J.+t.<>.

06F0: 34 A9 6C 80 78 84 74 E4 B5 14 5A 2A CA 02 46 65 4.l.x.t…Z*…Fe

0700: C1 26 90 63 05 5C 71 29 FE 29 2C 0D F3 73 2E 46 .&.c.\q).),…s.F

0710: 8D AA 4A 3B 1D 1F 8D 0C AE D1 97 83 C3 F6 2E 49 …J;…I

0720: 08 2F 91 0B 5A AF A9 A5 A9 7D CE 3D 4D 4B A9 4A ./…Z…=MK.J

0730: C9 26 71 4C 3C 9C 5E A7 5C 25elasticsearch[ppjbies1][[transport_server_worker.default]][T#5], SEND TLSv1.2 ALERT: warning, description = close_notify

CB FA 7D 11 53 E7 .&qL<.^.%…S.

elasticsearch[ppjbies1][[transport_server_worker.default]][T#5], WRITE: TLSv1.2 Alert, length = 2

0740: F7 4E AA 79 DC 78 1E CD 9B 02 03 01 00 01 A3 66 .N.y.x…f

0750: 30 64 30 0E 06 03 55 1D 0F 01 01 FF 04 04 03 02 0d0…U…

0760: 01 06 30 12 06 03 55 1D 13 01 01 FF 04 08 30 06 …0…U…0.

0770: 01 01 FF 02 01 00 30 1D 06 03 55 1D 0E 04 16 04 …0…U…

0780: 14 93 58 51 F7 1A 12 15 [Raw write]: length = 7

21 9D 13 F8 90 18 22 47 …XQ…!.."G

0790: 5A BD 9E 2B 70 30 1F 06 03 55 1D 23 04 18 30 16 Z…+p0…U.#…0.

07A0: 80 14 0E 89 24 A6 59 CB F2 62 5B FA BA 41 24 3C ….Y..b[..A<

07B0: AF 81 23 11 31 8B 30 0D 06 09 2A 86 48 86 F7 0D …#.1.0…*.H…

07C0: 01 01 0B 05 00 03 82 01 01 00 02 32 49 FB 25 7C …2I.%.

07D0: 47 CC 17 38 5B 00 F8 D6 5E D7 2F FA E6 BC 4B 81 G…8[…^./…K.

07E0: B7 1A 91 8F 38 AD DA 5B 54 DF 13 DB 56 9B 51 CC …8…[T…V.Q.

07F0: 0A C8 F4 07 EF 53 95 94 DD 98 9F EB A2 FE 09 7D …S…

0800: E5 23 F6 B5 B5 B2 0D 59 71 66 B1 64 A5 3A 59 C9 .#…Yqf.d.:Y.

08100: 44 7F 01 B7 AE 5E F3 E1 79 08 24 BB C9 CA AC 5F D…^…y.$…_

0820: BD B4 D5 76 36 3D CA 07 0E 39 02 8D 23 84 FA 80 …v6=…9…#…

0830: 2C A5 74 2D B2 36 DF CA E5 F9 8C 90 C1 CD 7F 3A ,.t-.6…:

0840: 0D 85 54 D9 E9 77 93 D6 E8 D4 41 F1 A9 93 6B 03 …T…w…A…k.

0850: E5 C0 91 3B 3C 9C 4C B6 21 ED 2D C7 20 9A D4 CC …;<.L.!000.-. …

0860: 22 23 01 6D 96 B4 3C 8F 78 25 7E ED 4A DA 14 BC "#.m…<.x%…J…

0870: 9C 7D 4C BF 94 60 82 BB BC 53 AC 00 2B 50 45 74 …L…`…S…+PEt

0880: F2 71 4D BF 7F B9 CF 96 27 CC D2 27 E2 37 CE 84 .qM…’…’.7…

0890: 0D 7F F2 3E E6 06 63 5A E6 71 1F 08 14 B4 C4 A4 …>…cZ.q…

08A0: E0 F0 9E CB AA 10 FF BA 63 95 96 BD 13 25 5B 3D …c…%[=

08B0: D5 51 FF 76 00 3E 57 84 30 EC AC B3 7D 02 07 D2 .Q.v.>W.0…

08C0: 93 5A 00 D4 B0 E9 97 86 9A 23 0C 00 01 49 03 00 .Z…#…I…

08D0: 17 41 04 D1 27 7C DD CB DF EB D9 6F B1 9F E6 17 .A…’…o…

08E0: B9 0A 11 B3 65 99 2D 57 E6 7F 41 17 F5 E5 45 72 …e.-W…A…Er

08F0: DE AA CE 7B 3C 91 D4 EB C8: 15 03 03 00 02 01 00 B6 79 56 … D0 DD 83 B1 …<…yV…

0900: 08 76 86 48 D0 3E 65 0F DF 55 3C 18 18 2F A1 2F .v.H.>e…U<…/./

0910: B4 7F DF 06 01 01 00 7F FD 35 55 01 64 21 1A B1 …5U.d!..

0920: C6 D6 D3 BF 79 F6 1F 6B CD EA 2F 95 A0 39 B2 14 …y

…k…/…9…

0930: 26 F2 AD 60 A8 27 42 08 0E 96 A3 FA 21 31 C8 00 &…`.'B…!1…

0940: AC 54 0D 59 73 56 F1 B7 D8 67 9F CD 2F 04 69 86 .T.YsV…g…/.i.

0950: 95 FB A1 D4 38 2E 66 5D 4C 90 34 02 9B E3 ED B0 …8.f]L.4…

0960: AE BC 1E 1A 49 92 47 61 AC 52 B6 F4 D9 62 CD 93 …I.Ga.R…b…

0970: 4F 40 4D 19 9B AF 70 17 94 C0 90 28 82 6F 3C 30 O@M…p…(.o<0

0980: 48 22 75 5F 0C 24 6B D9 37 E2 78 28 6D 53 2A 02elasticsearch[ppjbies1][[transport_server_worker.default]][T#5], called closeOutbound()

H"u_.$k.7.x(mS*.

0990: A5 D6 24 3D 79 42 39 A0 42 E8 5A 4D A4 6F 48 F0 …$=yB9.B.ZM.oH.

elasticsearch[ppjbies1][[transport_server_worker.default]][T#5], closeOutboundInternal()

09A0: 19 19 CB B0 53 30 38 95 87 BD 9D B9 4A 67 7F E9 …S08…Jg…

09B0: 2D 34 8A 40 8A DD BE 97 63 48 FE 70 10 7B 05 CA -4.@…cH.p…

09C0: 42 0A F8 ED 77 C4 74 56 FA 1C E3 C5 66 06 6E 1A elasticsearch[ppjbies1][[transport_server_worker.default]][T#5], called closeOutbound()

elasticsearch[ppjbies1][[transport_server_worker.default]][T#5], closeOutboundInternal()

B…w.tV…f.n.

09D0: C6 1B DA 63 37 3E 41 AA FD 37 9D 00 AF 72 5F 08 …c7>A…7…r_.

09E0: E2 FB D9 DE A5elasticsearch[ppjbies1][[transport_server_worker.default]][T#5], called closeOutbound()

elasticsearch[ppjbies1][[transport_server_worker.default]][T#5], closeOutboundInternal()

86 86 93 5F BD 14 70 3D 6F 88 E0 …_…p=o…

09F0: 37 A6 CE F0 6B 5B 6F 82 5A 42 75 94 89 0A 47 CA 7…k[o.ZBu…G.

0A00: C1 DE B0 94 B6 80 5A 64 5D 0E D8 3B DF 89 FE FE …Zd]…;…

0A10: CC AE 4E 4C 55 3E 5D 0D 00 00 F0 03 01 02 40 00 …NLU>]…@.

0A20: 1A 06 03 06 01 05 03 05 01 04 03 04 01 04 02 03 …

0A30: 03 03 01 03 02 02 03 02 01 02 02 00 CE 00 7A 30 …z0

0A40: 78 31 13 30 11 06 0A 09 92 26 89 93 F2 2C 64 01 x1.0…&…,d.

0A50: 19 16 03 63 6F 6D 31 18 30 16 06 0A 09 92 26 89 …com1.0…&.

0A60: 93 F2 2C 64 01 19 16 08 69 6E 67 65 6E 69 63 6F …,d…ingenico

0A70: 31 11 30 0F 06 03 55 04 0A 0C 08 49 6E 67 65 6E 1.0…U…Ingen

0A80: 69 63 6F 31 19 30 17 06 03 55 04 0B 0C 10 49 6E ico1.0…U…In

0A90: 67 65 6E 69 63 6F 20 52 6F 6F 74 20 43 41 31 19 genico Root CA1.

0AA0: 30 17 06 03 55 04 03 0C 10 49 6E 67 65 6E 69 63 0…U…Ingenic

0AB0: 6F 20 52 6F 6F 74 20 43 41 00 50 30 4E 31 0B 30 o Root CA.P0N1.0

0AC0: 09 06 03 55 04 06 13 02 46 52 31 0F 30 0D 06 03 …U…FR1.0…

0AD0: 55 04 07 13 06 46 72 61 6E 63 65 31 11 30 0F 06 U…France1.0…

0AE0: 03 55 04 0A 13 08 49 6E 67 65 6E 69 63 6F 31 0C .U…Ingenico1.

0AF0: 30 0A 06 03 55 04 0B 13 03 41 50 4F 31 0D 30 0B 0…U…APO1.0.

0B00: 06 03 55 04 03 13 04 6A 69 72 61 0E 00 00 00 …U…jira…

elasticsearch[ppjbies1][[transport_server_worker.default]][T#7], called closeOutbound()

elasticsearch[ppjbies1][[transport_server_worker.default]][T#7], closeOutboundInternal()

elasticsearch[ppjbies1][[transport_server_worker.default]][T#7], SEND TLSv1.2 ALERT: warning, description = close_notify

elasticsearch[ppjbies1][[transport_server_worker.default]][T#7], WRITE: TLSv1.2 Alert, length = 2

elasticsearch[ppjbies1][[transport_server_worker.default]][T#7], called closeInbound()

elasticsearch[ppjbies1][[transport_server_worker.default]][T#7], fatal error: 80: Inbound closed before receiving peer’s close_notify: possible truncation attack?

javax.net.ssl.SSLException: Inbound closed before receiving peer’s close_notify: possible truncation attack?

%% Invalidated: [Session-40, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256]

elasticsearch[ppjbies1][[transport_server_worker.default]][T#7], SEND TLSv1.2 ALERT: fatal, description = internal_error

elasticsearch[ppjbies1][[transport_server_worker.default]][T#7], Exception sending alert: java.io.IOException: writer side was already closed.

``

On Friday, November 24, 2017 at 2:14:18 PM UTC+1, Search Guard wrote:

Make sure you execute ./gen_root_ca.sh only once. Certificates generatet not with the exactly same root CA are not trusted each other.

I suggest you delete every certificate/key/truststore etc and recreate all certs (but only once).

The scripts are known to work so i can only imagine you use certs signed by different root ca’s because you run ./gen_root_ca.sh more than once.

Or use the TLS cert generator https://floragunn.com/tls-certificate-generator/

can you please try the original script and the tls cert generator and report back if they work?

···

Am 24.11.2017 um 14:27 schrieb Frédéric Esnault <frederic.esnault@ovyka.com>:

I did not call the generator twice. And I already cleaned up every certificates (even nodes ones) once, recreating all certs by call the generate all script (only once).
I'll try again...

Btw I did launch the node in frontend, and got ssl debug, but the error is not really helping :

elasticsearch[ppjbies1][[transport_server_worker.default]][T#7], READ: TLSv1.2 Handshake, length = 136
*** ClientHello, TLSv1.2
RandomCookie: GMT: 1511529205 bytes = { 215, 56, 94, 216, 125, 171, 128, 135, 128, 189, 174, 27, 59, 4, 156, 93, 204, 197, 95, 160, 42, 129, 10, 253, 11, 215, 67, 9 }
Session ID: {}
Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256]
Compression Methods: { 0 }
Extension elliptic_curves, curve names: {secp256r1, secp384r1, secp521r1, sect283k1, sect283r1, sect409k1, sect409r1, sect571k1, sect571r1, secp256k1}
Extension ec_point_formats, formats: [uncompressed]
Extension signature_algorithms, signature_algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA, SHA256withDSA, SHA224withECDSA, SHA224withRSA, SHA224withDSA, SHA1withECDSA, SHA1withRSA, SHA1withDSA
Extension renegotiation_info, renegotiated_connection: <empty>
***
[read] MD5 and SHA1 hashes: len = 136
0000: 01 00 00 84 03 03 5A 18 1B F5 D7 38 5E D8 7D AB ......Z....8^...
0010: 80 87 80 BD AE 1B 3B 04 9C 5D CC C5 5F A0 2A 81 ......;..].._.*.
0020: 0A FD 0B D7 43 09 00 00 16 C0 23 C0 27 00 67 00 ....C.....#.'.g.
0030: 40 C0 09 C0 13 00 33 C0 2B C0 2F 00 9E 00 A2 01 @.....3.+./.....
0040: 00 00 45 00 0A 00 16 00 14 00 17 00 18 00 19 00 ..E.............
0050: 09 00 0A 00 0B 00 0C 00 0D 00 0E 00 16 00 0B 00 ................
0060: 02 01 00 00 0D 00 1C 00 1A 06 03 06 01 05 03 05 ................
0070: 01 04 03 04 01 04 02 03 03 03 01 03 02 02 03 02 ................
0080: 01 02 02 FF 01 00 01 00 ........
%% Initialized: [Session-40, SSL_NULL_WITH_NULL_NULL]
  2C 64 01 19 16 03 63 6F ....&...,d....co
0090: 6D 31 18 30 16 06 0A 09 92 26 89 93 F2 2C 64 01 m1.0.....&...,d. .......
elasticsearch[ppjbies1][[transport_server_worker.default]][T#3], called closeOutbound()
elasticsearch[ppjbies1][[transport_server_worker.default]][T#3], closeOutboundInternal()
elasticsearch[ppjbies1][[transport_server_worker.default]][T#3], SEND TLSv1.2 ALERT: warning, description = close_notify
Padded plaintext before ENCRYPTION: len = 64
0000: C7 14 39 F1 B1 68 3C 2B 3E 3C F9 59 1E 5E 8C F4 ..9..h<+><.Y.^..
0010: 01 00 E8 DA 73 D8 0C B6 51 8B 57 0F 3C 11 5A E2 ....s...Q.W.<.Z.
0020: D6 3F 2E 45 42 DB 1B 54 E6 03 5F E8 23 C9 DA 9C .?.EB..T.._.#...
0030: 8E 8C 0D 0D 0D 0D 0D 0D 0D 0D 0D 0D 0D 0D 0D 0D ................
elasticsearch[ppjbies1][[transport_server_worker.default]][T#3], WRITE: TLSv1.2 Alert, length = 64
[Raw write]: length = 69
0000: 15 03 03 00 40 F7 ED EC BD 91 97 95 4C 8C DF 16 ....@.......L...
0010: 4A CE FB 01 2E 99 E2 FD 4D B4 F7 68 BA 7B 98 07 J.......M..h....
0020: 1A 84 2C E9 9C 5C D8 F1 84 CD D2 F0 39 4F B0 12 ..,..\......9O..
0030: 95 48 F6 5F 5B 14 A2 02 41 2F 5A E8 A7 F3 1E 65 .H._[...A/Z....e
0040: 1B B1 BE 48 BB ...H.
elasticsearch[ppjbies1][[transport_server_worker.default]][T#3], called closeOutbound()
elasticsearch[ppjbies1][[transport_server_worker.default]][T#3], closeOutboundInternal()
elasticsearch[ppjbies1][[transport_server_worker.default]][T#3], called closeOutbound()
elasticsearch[ppjbies1][[transport_server_worker.default]][T#3], closeOutboundInternal()
elasticsearch[ppjbies1][[transport_server_worker.default]][T#3], called closeOutbound()
elasticsearch[ppjbies1][[transport_server_worker.default]][T#3], closeOutboundInternal()
elasticsearch[ppjbies1][[transport_server_worker.default]][T#3], called closeOutbound()
elasticsearch[ppjbies1][[transport_server_worker.default]][T#3], closeOutboundInternal()
Standard ciphersuite chosen: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
%% Negotiating: [Session-40, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256]
*** ServerHello, TLSv1.2
RandomCookie: GMT: 1511529209 bytes = { 197, 20, 240, 171, 131, 155, 239, 101, 125, 223, 7, 242, 83, 102, 237, 75, 112, 180, 213, 72, 25, 143, 110, 79, 185, 22, 61, 229 }
Session ID: {90, 24, 27, 249, 98, 209, 218, 130, 81, 251, 233, 42, 137, 59, 230, 220, 130, 73, 170, 205, 156, 123, 28, 115, 167, 173, 18, 52, 0, 166, 219, 10}
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
Compression Method: 0
Extension renegotiation_info, renegotiated_connection: <empty>
***
Cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
*** Certificate chain
chain [0] = [
[
  Version: V3
  Subject: CN=ppjbies1.services.ingenico.com, OU=APO, O=Ingenico, L=France, C=FR
  Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11

  Key: Sun RSA public key, 2048 bits
  modulus: 18064921354489852508993127027925376066778304116073610862176631673270256570327624165869734576872085117977348782037160617552209238151199666595325892602232671614704707062365592163068816885003452529178773550773770572518227411333816445153462676818051213112313466711109217566735794204149027894627013201417436365493293256810832702861958045647124768607294634223790506902299607419914203463020750147507391444257415498786814192403108729379625941842128383642891468587393939251603544641452936897393276703634523517589633486000259596240426308592960812987414502319161178866400467712824775706495030431786359187511046195890552791518049
  public exponent: 65537
  Validity: [From: Wed Nov 22 16:19:51 GMT 2017,
               To: Fri Nov 22 16:19:51 GMT 2019]
  Issuer: CN=Ingenico Signing CA, OU=Ingenico Signing CA, O=Ingenico, DC=ingenico, DC=com
  SerialNumber: [ 02]

Certificate Extensions: 7
[1]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 93 58 51 F7 1A 12 15 21 9D 13 F8 90 18 22 47 5A .XQ....!....."GZ
0010: BD 9E 2B 70 ..+p
]
]

[2]: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
  CA:false
  PathLen: undefined
]

[3]: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
  [DistributionPoint:
     [URIName: https://raw.githubusercontent.com/floragunncom/unittest-assets/master/revoked.crl]
]]

[4]: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
  serverAuth
  clientAuth
]

[5]: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
  DigitalSignature
  Key_Encipherment
]

[6]: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
  DNSName: ppjbies1.services.ingenico.com
  DNSName: localhost
  IPAddress: 172.21.22.38
  OIDName: 1.2.3.4.5.5
]

[7]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 77 B4 4D 46 B5 92 47 48 17 91 6F 23 5F 46 61 56 w.MF..GH..o#_FaV
0010: 7C 0C C1 C8 ....
]
]

]
  Algorithm: [SHA256withRSA]
  Signature:
0000: 89 17 4E 12 56 7F 43 5D 3C CE D9 F1 96 A5 68 ED ..N.V.C]<.....h.
0010: 3E 1A E1 31 76 A7 5D 97 E8 52 77 DA 3D F4 39 07 >..1v.]..Rw.=.9.
0020: EB 2B 19 5E 78 32 B6 0D 02 79 C4 00 C1 79 A4 02 .+.^x2...y...y..
0030: 84 B8 6D B8 6E CC 04 53 A4 D5 5E 80 20 D5 CC 37 ..m.n..S..^. ..7
0040: 39 A0 C2 47 29 5A 4A 08 28 5B CD 7E 26 11 2E 30 9..G)ZJ.([..&..0
0050: 43 16 64 36 69 42 8A E1 E2 0C 4D BC 4E 63 57 06 C.d6iB....M.NcW.
0060: 82 C8 55 CA B1 85 57 CF D7 C0 1C 43 55 F3 72 B6 ..U...W....CU.r.
0070: 29 C4 4A 64 88 4B 7F 25 A1 59 E9 FB A9 B2 B5 1D ).Jd.K.%.Y......
0080: 73 70 30 CA 33 D7 F3 0F B1 3D 0C 71 F6 BA BA 22 sp0.3....=.q..."
0090: EF F8 7C DE F0 31 41 A9 76 8E 05 3D 03 12 3F AA .....1A.v..=..?.
00A0: E2 17 F5 5F FA 4D EE 80 89 8C 6F 27 24 A6 B2 0F ..._.M....o'$...
00B0: 00 36 07 2F BA 62 B3 1A 0F 93 5D 81 72 3B AB 42 .6./.b....].r;.B
00C0: A9 A4 81 B9 F0 EF 67 57 CD EA C1 BE BF CB 20 DE ......gW...... .
00D0: E5 11 F3 35 62 58 F4 08 E1 BC D6 B2 A6 DC 93 45 ...5bX.........E
00E0: 9F 79 6E DC F0 1B A8 CA 44 F6 86 0E DA 38 0D E1 .yn.....D....8..
00F0: B1 76 BB 47 0A 49 DA CF F2 E4 6E 8F E1 37 9C F8 .v.G.I....n..7..

]
chain [1] = [
[
  Version: V3
  Subject: CN=Ingenico Signing CA, OU=Ingenico Signing CA, O=Ingenico, DC=ingenico, DC=com
  Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11

  Key: Sun RSA public key, 2048 bits
  modulus: 25401584571038775979607975285408514307764097153855163720983375600685013110287744065471284196111235549192912025313072890847266900630754641885195429109539996477347803786475877936094308787919571242900954684180751067754282949233377334064194787814558548293309815351829443613669719592776082525563017426701047792736535904880999155049315130761821098742029602012185995909946657587846899715202831440099035646268672534274772721915305532175578933219991015506072207170772259046646159751553373278023070596457356408101672446565479119958486331221218156822829316497007137499876726676976552997223674258988908516629630726192040234634651
  public exponent: 65537
  Validity: [From: Wed Nov 22 16:19:48 GMT 2017,
               To: Mon Nov 22 16:19:48 GMT 2027]
  Issuer: CN=Ingenico Root CA, OU=Ingenico Root CA, O=Ingenico, DC=ingenico, DC=com
  SerialNumber: [ 02]

Certificate Extensions: 4
[1]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 0E 89 24 A6 59 CB F2 62 5B FA BA 41 24 3C AF 81 ..\.Y\.\.b\[\.\.A<..
0010: 23 11 31 8B #.1.
]
]

[2]: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
  CA:true
  PathLen:0
]

[3]: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
  Key_CertSign
  Crl_Sign
]

[4]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 93 58 51 F7 1A 12 15 21 9D 13 F8 90 18 22 47 5A .XQ....!....."GZ
0010: BD 9E 2B 70 ..+p
]
]

]
  Algorithm: [SHA256withRSA]
  Signature:
0000: 02 32 49 FB 25 7C 47 CC 17 38 5B 00 F8 D6 5E D7 .2I.%.G..8[...^.
0010: 2F FA E6 BC 4B 81 B7 1A 91 8F 38 AD DA 5B 54 DF /...K.....8..[T.
0020: 13 DB 56 9B 51 CC 0A C8 F4 07 EF 53 95 94 DD 98 ..V.Q......S....
0030: 9F EB A2 FE 09 7D E5 23 F6 B5 B5 B2 0D 59 71 66 .......#.....Yqf
0040: B1 64 A5 3A 59 C9 44 7F 01 B7 AE 5E F3 E1 79 08 .d.:Y.D....^..y.
0050: 24 BB C9 CA AC 5F BD B4 D5 76 36 3D CA 07 0E 39 $...._...v6=...9
0060: 02 8D 23 84 FA 80 2C A5 74 2D B2 36 DF CA E5 F9 ..#...,.t-.6....
0070: 8C 90 C1 CD 7F 3A 0D 85 54 D9 E9 77 93 D6 E8 D4 .....:..T..w....
0080: 41 F1 A9 93 6B 03 E5 C0 91 3B 3C 9C 4C B6 21 ED A...k....;<.L.!.
0090: 2D C7 20 9A D4 CC 22 23 01 6D 96 B4 3C 8F 78 25 -. ..."#.m..<.x%
00A0: 7E ED 4A DA 14 BC 9C 7D 4C BF 94 60 82 BB BC 53 ..J.....L..`...S
00B0: AC 00 2B 50 45 74 F2 71 4D BF 7F B9 CF 96 27 CC ..+PEt.qM.....'.
00C0: D2 27 E2 37 CE 84 0D 7F F2 3E E6 06 63 5A E6 71 .'.7.....>..cZ.q
00D0: 1F 08 14 B4 C4 A4 E0 F0 9E CB AA 10 FF BA 63 95 ..............c.
00E0: 96 BD 13 25 5B 3D D5 51 FF 76 00 3E 57 84 30 EC ...%[=.Q.v.>W.0.
00F0: AC B3 7D 02 07 D2 93 5A 00 D4 B0 E9 97 86 9A 23 .......Z.......#

]
***

00A0: 19 16 08 69 6E 67 65 6E 69 63 6F 31 11 30 0F 06 ...ingenico1.0..
00B0: 03 55 04 0A 0C 08 49 6E 67 65 6E 69 63 6F 31 1C .U....Ingenico1.
00C0: 30 1A 06 03 55 04 0B 0C 13 49 6E 67 65 6E 69 63 0...U....Ingenic
00D0: 6F 20 53 69 67 6E 69 6E 67 20 43 41 31 1C 30 1A o Signing CA1.0.
00E0: 06 03 55 04 03 0C 13 49 6E 67 65 6E 69 63 6F 20 ..U....Ingenico
00F0: 53 69 67 6E 69 6E 67 20 43 41 30 1E 17 0D 31 37 Signing CA0...17
0100: 31 31 32 32 31 36 31 39 35 31 5A 17 0D 31 39 31 1122161951Z..191
0110: 31 32 32 31 36 31 39 35 31 5A 30 68 31 0B 30 09 122161951Z0h1.0.
0120: 06 03 55 04 06 13 02 46 52 31 0F 30 0D 06 03 55 ..U....FR1.0...U
0130: 04 07 13 06 46 72 61 6E 63 65 31 11 30 0F 06 03 ....France1.0...
0140: 55 04 0A 13 08 49 6E 67 65 6E 69 63 6F 31 0C 30 U....Ingenico1.0
0150: 0A 06 03 55 04 0B 13 03 41 50 4F 31 27 30 25 06 ...U....APO1'0%.
0160: 03 55 04 03 13 1E 70 70 6A 62 69 65 73 31 2E 73 .U....ppjbies1.s
0170: 65 72 76 69 63 65 73 2E 69 6E 67 65 6E 69 63 6F ervices.ingenico
0180: 2E 63 6F 6D 30 82 01 22 30 0D 06 09 2A 86 48 86 .com0.."0...*.H.
0190: F7 0D 01 01 01 05 00 03 82 01 0F 00 30 82 01 0A ............0...
01A0: 02 82 01 01 00 8F 1A 0B C4 67 3F BC 37 24 27 1F .........g?.7$'.
01B0: 3A 31 60 30 03 8A BE 26 FE 5E 38 94 5F A8 48 54 :1`0...&.^8._.HT
01C0: F6 BC 21 FB 23 13 E9 AF 96 0A 6A A2 CE A2 40 03 ..!.#.....j...@.
01D0: 7D 2B 5E 2F 59 03 6A AA A5 E5 8C 21 0E 70 CC D4 .+^/Y.j....!.p..
01E0: 9C 44 B9 1E 54 57 E1 F9 DC 7E AC F0 3B 43 0F 5A .D..TW......;C.Z
01F0: B5 D4 55 89 24 9D 83 E3 3C C2 89 08 E3 54 55 2F ..U.\.\.\.&lt;\.\.\.\.TU/ 0200: 20 CD C8 03 DC 32 C6 FE 37 88 06 C4 DD B8 EC AB \.\.\.\.2\.\.7\.\.\.\.\.\.\. 0210: 2C F4 0C ED CF 9C 94 4C 1F 85 C8 FD 7E 1F 3E F0 ,\.\.\.\.\.\.L\.\.\.\.\.\.&gt;\. 0220: 6D 33 DB E3 06 A2 CB 87 09 DA 95 3B BB EB 19 B8 m3\.\.\.\.\.\.\.\.\.;\.\.\.\. 0230: C3 CC 50 0C E6 EA D4 63 B5 22 8F 26 4B 56 9B 50 \.\.P\.\.\.\.c\.&quot;\.&amp;KV\.P 0240: 3D E5 96 6A 57 8E 71 31 B6 21 DE 2B 4B 37 45 A6 =\.\.jW\.q1\.\!\.\+K7E\. 0250: 5A A8 ED C3 8D E4 1D FF 76 0B CD 5E 79 C5 E5 55 Z\.\.\.\.\.\.\.v\.\.^y\.\.U 0260: 13 01 AA 2B 59 43 C3 D0 A2 94 A6 4F A6 F7 5F C8 \.\.\.\+YC\.\.\.\.\.O\.\.\_\. 0270: 35 04 8E E2 65 9F 27 4D 45 93 52 DF 22 A2 B8 B7 5\.\.\.e\.&#39;ME\.R\.&quot;\.\.\. 0280: B1 BE 30 30 CC A0 4C 0E 04 32 F2 21 86 AA 54 44 \.\.00\.\.L\.\.2\.\!\.\.TD 0290: A3 AB 65 A6 26 57 3E 92 7D 57 40 B3 55 4A 68 F7 \.\.e\.&amp;W&gt;\.\.W@\.UJh\. 02A0: 17 66 56 4B 61 02 03 01 00 01 A3 82 01 25 30 82 \.fVKa\.\.\.\.\.\.\.\.%0\. 02B0: 01 21 30 0E 06 03 55 1D 0F 01 01 FF 04 04 03 02 \.\!0\.\.\.U\.\.\.\.\.\.\.\.\. 02C0: 05 A0 30 09 06 03 55 1D 13 04 02 30 00 30 1D 06 \.\.0\.\.\.U\.\.\.\.0\.0\.\. 02D0: 03 55 1D 25 04 16 30 14 06 08 2B 06 01 05 05 07 \.U\.%\.\.0\.\.\.\+\.\.\.\.\. 02E0: 03 01 06 08 2B 06 01 05 05 07 03 02 30 1D 06 03 \.\.\.\.\+\.\.\.\.\.\.\.0\.\.\. 02F0: 55 1D 0E 04 16 04 14 77 B4 4D 46 B5 92 47 48 17 U\.\.\.\.\.\.w\.MF\.\.GH\. 0300: 91 6F 23 5F 46 61 56 7C 0C C1 C8 30 1F 06 03 55 \.o\#\_FaV\.\.\.\.0\.\.\.U 0310: 1D 23 04 18 30 16 80 14 93 58 51 F7 1A 12 15 21 \.\#\.\.0\.\.\.\.XQ\.\.\.\.\! 0320: 9D 13 F8 90 18 22 47 5A BD 9E 2B 70 30 62 06 03 \.\.\.\.\.&quot;GZ\.\.\+p0b\.\. 0330: 55 1D 1F 04 5B 30 59 30 57 A0 55 A0 53 86 51 68 U\.\.\.\[0Y0W\.U\.S\.Qh 0340: 74 74 70 73 3A 2F 2F 72 61 77 2E 67 69 74 68 75 ttps://raw\.githu 0350: 62 75 73 65 72 63 6F 6E 74 65 6E 74 2E 63 6F 6D busercontent\.com 0360: 2F 66 6C 6F 72 61 67 75 6E 6E 63 6F 6D 2F 75 6E /floragunncom/un 0370: 69 74 74 65 73 74 2D 61 73 73 65 74 73 2F 6D 61 ittest\-assets/ma 0380: 73 74 65 72 2F 72 65 76 6F 6B 65 64 2E 63 72 6C ster/revoked\.crl 0390: 30 41 06 03 55 1D 11 04 3A 30 38 82 1E 70 70 6A 0A\.\.U\.\.\.:08\.\.ppj 03A0: 62 69 65 73 31 2E 73 65 72 76 69 63 65 73 2E 69 bies1\.services\.i 03B0: 6E 67 65 6E 69 63 6F 2E 63 6F 6D 82 09 6C 6F 63 ngenico\.com\.\.loc 03C0: 61 6C 68 6F 73 74 87 04 AC 15 16 26 88 05 2A 03 alhost\.\.\.\.\.&amp;\.\.\*\. 03D0: 04 05 05 30 0D 06 09 2A 86 48 86 F7 0D 01 01 0B \.\.\.0\.\.\.\*\.H\.\.\.\.\.\. 03E0: 05 00 03 82 01 01 00 89 17 4E 12 56 7F 43 5D 3C \.\.\.\.\.\.\.\.\.N\.V\.C\]&lt; 03F0: CE D9 F1 96 A5 68 ED 3E 1A E1 31 76 A7 5D 97 E8 \.\.\.\.\.h\.&gt;\.\.1v\.\]\.\. 0400: 52 77 DA 3D F4 39 07 EB 2B 19 5E 78 32 B6 0D 02 Rw\.=\.9\.\.\+\.^x2\.\.\. 0410: 79 C4 00 C1 79 A4 02 84 B8 6D B8 6E CC 04 53 A4 y\.\.\.y\.\.\.\.m\.n\.\.S\. 0420: D5 5E 80 20 D5 CC 37 39 A0 C2 47 29 5A 4A 08 28 \.^\. \.\.79\.\.G\)ZJ\.\( 0430: 5B CD 7E 26 11 2E 30 43 16 64 36 69 42 8A E1 E2 \[\.\.&amp;\.\.0C\.d6iB\.\.\. 0440: 0C 4D BC 4E 63 57 06 82 C8 55 CA B1 85 57 CF D7 \.M\.NcW\.\.\.U\.\.\.W\.\. 0450: C0 1C 43 55 F3 72 B6 29 C4 4A 64 88 4B 7F 25 A1 \.\.CU\.r\.\)\.Jd\.K\.%\. 0460: 59 E9 FB A9 B2 B5 1D 73 70 30 CA 33 D7 F3 0F B1 Y\.\.\.\.\.\.sp0\.3\.\.\.\. 0470: 3D 0C 71 F6 BA BA 22 EF F8 7C DE F0 31 41 A9 76 =\.q\.\.\.&quot;\.\.\.\.\.1A\.v 0480: 8E 05 3D 03 12 3F AA E2 17 F5 5F FA 4D EE 80 89 \.\.=\.\.?\.\.\.\.\_\.M\.\.\. 0490: 8C 6F 27 24 A6 B2 0F 00 36 07 2F BA 62 B3 1A 0F \.o&#39;....6./.b...
04A0: 93 5D 81 72 3B AB 42 A9 A4 81 B9 F0 EF 67 57 CD .].r;.B......gW.
04B0: EA C1 BE BF CB 20 DE E5 11 F3 35 62 58 F4 08 E1 ..... ....5bX...
04C0: BC D6 B2 A6 DC 93 45 9F 79 6E DC F0 1B A8 CA 44 ......E.yn.....D
04D0: F6 86 0E DA 38 0D E1 B1 76 BB 47 0A 49 DA CF F2 ....8...v.G.I...
04E0: E4 6E 8F E1 37 9C F8 00 03 DB 30 82 03 D7 30 82 .n..7.....0...0.
04F0: 02 BF A0 03 02 01 02 02 01 02 30 0D 06 09 2A 86 ..........0...*.
0500: 48 86 F7 0D 01 01 0B 05 00 30 78 31 13 30 11 06 H........0x1.0..
0510: 0A 09 92 26 89 93 F2 2C 64 01 19 16 03 63 6F 6D ...&...,d....com
0520: 31 18 30 16 06 0A 09 92 26 89 93 F2 2C 64 01 19 1.0.....&...,d..
0530: 16 08 69 6E 67 65 6E 69 63 6F 31 11 30 0F 06 03 ..ingenico1.0...
0540: 55 04 0A 0C 08 49 6E 67 65 6E 69 63 6F 31 19 30 U....Ingenico1.0
0550: 17 06 03 55 04 0B 0C 10 49 6E 67 65 6E 69 63 6F ...U....Ingenico
0560: 20 52 6F 6F 74 20 43 41 31 19 30 17 06 03 55 04 Root CA1.0...U.
0570: 03 0C 10 49 6E 67 65 6E 69 63 6F 20 52 6F 6F 74 ...Ingenico Root
0580: 20 43 41 30 1E 17 0D 31 37 31 31 32 32 31 36 31 CA0...171122161
0590: 39 34 38 5A 17 0D 32 37 31 31 32 32 31 36 31 39 948Z..2711221619
05A0: 34 38 5A 30 7E 31 13 30 11 06 0A 09 92 26 89 93 48Z0.1.0.....&..
05B0: F2 2C 64 01 19 16 03 63 6F 6D 31 18 30 16 06 0A .,d....com1.0...
05C0: 09 92 26 89 93 F2 2C 64 01 19 16 08 69 6E 67 65 ..&...,d....inge
05D0: 6E 69 63 6F 31 11 30 0F 06 03 55 04 0A 0C 08 49 nico1.0...U....I
05E0: 6E 67 65 6E 69 63 6F 31 1C 30 1A 06 03 55 04 0B ngenico1.0...U..
05F0: 0C 13 49 6E 67 65 6E 69 63 6F 20 53 69 67 6E 69 ..Ingenico Signi
0600: 6E 67 20 43 41 31 1C 30 1A 06 03 55 04 03 0C 13 ng CA1.0...U....
0610: 49 6E 67 65 6E 69 63 6F 20 53 69 67 6E 69 6E 67 Ingenico Signing
0620: 20 43 41 30 82 01 22 30 0D 06 09 2A 86 48 86 F7 CA0.."0...*.H..
0630: 0D 01 01 01 05 00 03 82 01 0F 00 30 82 01 0A 02 ...........0....
0640: 82 01 01 00 C9 38 24 AC 9F 51 53 FE 46 D0 06 97 .....8$..QS.F...
0650: 2A 68 55 68 F4 26 3A 0F 27 0E 6E CB 2B CB D7 6D *hUh.&:.'.n.+..m
0660: 7F D2 37 6B F8 6D 34 EA A9 BE 53 04 11 09 C1 42 ..7k.m4...S....B
0670: FA 5D 5D 4A CA 48 25 C3 F7 6C 37 37 86 B0 70 22 .]]J.H%..l77..p"
0680: 3F BA F6 E9 D4 DA 2C DB 48 4F 48 F0 9A CF AA 60 ?.....,.HOH....`
0690: 11 6D 4E 40 35 86 9C 15 8A 1E 3D 25 CE B4 EF 10 .mN@5.....=%....
06A0: 4C C9 A6 82 47 3D AA 32 13 C3 9C 9A C8 29 BE 70 L...G=.2.....).p
06B0: 9F 20 B9 4B C9 26 01 CC DE 68 86 C1 87 D5 62 3D . .K.&...h....b=
06C0: FD 9F 8D FE A7 09 F4 9E 0B A9 46 31 E7 D8 E6 DA ..........F1....
06D0: 97 5F 10 75 66 EA D6 AE 05 39 C6 FD 4A 78 44 58 ._.uf....9..JxDX
06E0: 7D F9 00 4A D7 2B 74 1B 3C 3E 06 34 A9 6C 80 78 ...J.+t.<>.4.l.x
06F0: 84 74 E4 B5 14 5A 2A CA 02 46 65 C1 26 90 63 05 .t...Z*..Fe.&.c.
0700: 5C 71 29 FE 29 2C 0D F3 73 2E 46 8D AA 4A 3B 1D \q).),..s.F..J;.
0710: 1F 8D 0C AE D1 97 83 C3 F6 2E 49 08 2F 91 0B 5A ..........I./..Z
0720: AF A9 A5 A9 7D CE 3D 4D 4B A9 4A C9 26 71 4C 3C ......=MK.J.&qL<
0730: 9C 5E A7 5C 25 CB FA 7D 11 53 E7 F7 4E AA 79 DC .^.\%....S..N.y.
0740: 78 1E CD 9B 02 03 01 00 01 A3 66 30 64 30 0E 06 x.........f0d0..
0750: 03 55 1D 0F 01 01 FF 04 04 03 02 01 06 30 12 06 .U...........0..
0760: 03 55 1D 13 01 01 FF 04 08 30 06 01 01 FF 02 01 .U.......0......
0770: 00 30 1D 06 03 55 1D 0E 04 16 04 14 93 58 51 F7 .0...U.......XQ.
0780: 1A 12 15 21 9D 13 F8 90 18 22 47 5A BD 9E 2B 70 ...!....."GZ..+p
0790: 30 1F 06 03 55 1D 23 04 18 30 16 80 14 0E 89 24 0...U.#..0..... 07A0: A6 59 CB F2 62 5B FA BA 41 24 3C AF 81 23 11 31 \.Y\.\.b\[\.\.A<..#.1
07B0: 8B 30 0D 06 09 2A 86 48 86 F7 0D 01 01 0B 05 00 .0...*.H........
07C0: 03 82 01 01 00 02 32 49 FB 25 7C 47 CC 17 38 5B ......2I.%.G..8[
07D0: 00 F8 D6 5E D7 2F FA E6 BC 4B 81 B7 1A 91 8F 38 ...^./...K.....8
07E0: AD DA 5B 54 DF 13 DB 56 9B 51 CC 0A C8 F4 07 EF ..[T...V.Q......
07F0: 53 95 94 DD 98 9F EB A2 FE 09 7D E5 23 F6 B5 B5 S...........#...
0800: B2 0D 59 71 66 B1 64 A5 3A 59 C9 44 7F 01 B7 AE ..Yqf.d.:Y.D....
0810: 5E F3 E1 79 08 24 BB C9 CA AC 5F BD B4 D5 76 36 ^..y.\.\.\.\.\_\.\.\.v6 0820: 3D CA 07 0E 39 02 8D 23 84 FA 80 2C A5 74 2D B2 =\.\.\.9\.\.\#\.\.\.,\.t\-\. 0830: 36 DF CA E5 F9 8C 90 C1 CD 7F 3A 0D 85 54 D9 E9 6\.\.\.\.\.\.\.\.\.:\.\.T\.\. 0840: 77 93 D6 E8 D4 41 F1 A9 93 6B 03 E5 C0 91 3B 3C w\.\.\.\.A\.\.\.k\.\.\.\.;&lt; 0850: 9C 4C B6 21 ED 2D C7 20 9A D4 CC 22 23 01 6D 96 \.L\.\!\.\-\. \.\.\.&quot;\#\.m\. 0860: B4 3C 8F 78 25 7E ED 4A DA 14 BC 9C 7D 4C BF 94 \.&lt;\.x%\.\.J\.\.\.\.\.L\.\. 0870: 60 82 BB BC 53 AC 00 2B 50 45 74 F2 71 4D BF 7F \`\.\.\.S\.\.\+PEt\.qM\.\. 0880: B9 CF 96 27 CC D2 27 E2 37 CE 84 0D 7F F2 3E E6 \.\.\.&#39;\.\.&#39;\.7\.\.\.\.\.&gt;\. 0890: 06 63 5A E6 71 1F 08 14 B4 C4 A4 E0 F0 9E CB AA \.cZ\.q\.\.\.\.\.\.\.\.\.\.\. 08A0: 10 FF BA 63 95 96 BD 13 25 5B 3D D5 51 FF 76 00 \.\.\.c\.\.\.\.%\[=\.Q\.v\. 08B0: 3E 57 84 30 EC AC B3 7D 02 07 D2 93 5A 00 D4 B0 &gt;W\.0\.\.\.\.\.\.\.\.Z\.\.\. 08C0: E9 97 86 9A 23 0C 00 01 49 03 00 17 41 04 17 F0 \.\.\.\.\#\.\.\.I\.\.\.A\.\.\. 08D0: E9 F0 D9 ED 60 8B 0C 3A B9 26 06 CF 38 39 4C A0 \.\.\.\.\`\.\.:\.&amp;\.\.89L\. 08E0: E9 0E 20 99 FE 2A 60 00 31 18 0B 15 45 6D EA 12 \.\. \.\.\*\`\.1\.\.\.Em\.\. 08F0: B2 F6 8D E9 55 9C EC C1 05 F4 4F 46 E5 16 63 60 \.\.\.\.U\.\.\.\.\.OF\.\.c\` 0900: BD 5B BC 93 3C D2 3C 9B 69 73 93 8A 33 4F 06 01 \.\[\.\.&lt;\.&lt;\.is\.\.3O\.\. 0910: 01 00 81 66 29 2B D9 A0 A4 D3 1F 4D 14 24 E7 10 \.\.\.f\)\+\.\.\.\.\.M\...
0920: FC EB 1D 95 B0 11 39 F2 A1 FA 43 AF 91 C9 E5 E9 ......9...C.....
0930: 42 21 A4 AF A9 3B 4A 6B 2C 16 0B E0 2D 84 8E 51 B!...;Jk,...-..Q
0940: 5E C7 CA FB EA 89 DF FC 08 1F F5 39 38 EF 9E DB ^..........98...
0950: A5 DD FB A1 61 E3 A0 6D F2 71 D5 94 C9 D9 AF F5 ....a..m.q......
0960: E6 1A C1 0C 46 97 D9 35 85 34 30 18 0C 36 A5 CD ....F..5.40..6..
0970: C5 B4 D0 42 B9 0C 77 95 C1 5D E3 96 E3 D8 00 53 ...B..w..].....S
0980: A1 E3 98 4A 94 69 FA 13 65 9A 42 B3 AC BF 13 12 ...J.i..e.B.....
0990: 29 B9 8E 0A 7E EC AE 3B 63 C7 F2 64 D7 77 BC 7D )......;c..d.w..
09A0: 6E 1B A8 3F 69 62 D7 77 3A C5 FD 48 94 BA 01 CA n..?ib.w:..H....
09B0: B3 52 F9 49 38 0D E7 95 C1 7A D3 69 5A 7C 4E 06 .R.I8....z.iZ.N.
09C0: DF 25 54 49 BB B7 6E A4 34 F7 42 7B 5E 67 5A 5C .%TI..n.4.B.^gZ\
09D0: 16 45 F0 E4 3A B9 C6 52 EB 73 2C 3D 14 B5 FC A3 .E..:..R.s,=....
09E0: AC EC 20 14 A0 C7 AB B0 22 CC F6 A3 F9 96 20 93 .. ....."..... .
09F0: B0 E6 AA 68 D6 F3 3E 96 D3 02 1E 44 58 5E A8 17 ...h..>....DX^..
0A00: 17 F8 5B DF 6E 2F 9A F8 A8 4D 3F 5F 8A CD A9 D7 ..[.n/...M?_....
0A10: 6F BD 0D 00 00 F0 03 01 02 40 00 1A 06 03 06 01 o........@......
0A20: 05 03 05 01 04 03 04 01 04 02 03 03 03 01 03 02 ................
0A30: 02 03 02 01 02 02 00 CE 00 7A 30 78 31 13 30 11 .........z0x1.0.
0A40: 06 0A 09 92 26 89 93 F2 2C 64 01 19 16 03 63 6F ....&...,d....co
0A50: 6D 31 18 30 16 06 0A 09 92 26 89 93 F2 2C 64 01 m1.0.....&...,d.
0A60: 19 16 08 69 6E 67 65 6E 69 63 6F 31 11 30 0F 06 ...ingenico1.0..
0A70: 03 55 04 0A 0C 08 49 6E 67 65 6E 69 63 6F 31 19 .U....Ingenico1.
0A80: 30 17 06 03 55 04 0B 0C 10 49 6E 67 65 6E 69 63 0...U....Ingenic
0A90: 6F 20 52 6F 6F 74 20 43 41 31 19 30 17 06 03 55 o Root CA1.0...U
0AA0: 04 03 0C 10 49 6E 67 65 6E 69 63 6F 20 52 6F 6F ....Ingenico Roo
0AB0: 74 20 43 41 00 50 30 4E 31 0B 30 09 06 03 55 04 t CA.P0N1.0...U.
0AC0: 06 13 02 46 52 31 0F 30 0D 06 03 55 04 07 13 06 ...FR1.0...U....
0AD0: 46 72 61 6E 63 65 31 11 30 0F 06 03 55 04 0A 13 France1.0...U...
0AE0: 08 49 6E 67 65 6E 69 63 6F 31 0C 30 0A 06 03 55 .Ingenico1.0...U
0AF0: 04 0B 13 03 41 50 4F 31 0D 30 0B 06 03 55 04 03 ....APO1.0...U..
0B00: 13 04 6A 69 72 61 0E 00 00 00 ..jira....
elasticsearch[ppjbies1][[transport_server_worker.default]][T#5], WRITE: TLSv1.2 Handshake, length = 2826
[Raw write]: length = 2831
0000: 16 03 03 0B 0A 02 00 00 4D 03 03 5A 18 1B F9 9B ........M..Z....
0010: 68 16 39 1A 61 6A 41 63 02 00 CF BC B5 6A C5 C5 h.9.ajAc.....j..
0020: 81 69 5A 8D AF 01 79 86 98 E6 2E 20 5A 18 1B F9 .iZ...y.... Z...
0030: E4 27 88 72 47 11 5B 8F E4 BE CA 0E B2 B4 C0 33 .'.rG.[........3
0040: EC 92 7B 6E 08 61 6D 19 93 2D 9E 3A C0 27 00 00 ...n.am..-.:.'..
0050: 05 FF 01 00 01 00 0B 00 08 70 00 08 6D 00 04 8C .........p..m...
0060: 30 82 04 88 30 82 03 70 A0 03 02 01 02 02 01 02 0...0..p........
0070: 30 0D 06 09 2A 86 48 86 F7 0D 01 01 0B 05 00 30 0...*.H........0
0080: 7E 31 13 30 11 06 0A 09 92 26 89 93 F2 2C 64 01 .1.0.....&...,d.
0090: 19 16 03 63 6F 6D 31 18 30 16 06 0A 09 92 26 89 ...com1.0.....&.
00A0: 93 F2 2C 64 01 19 16 08 69 6E 67 65 6E 69 63 6F ..,d....ingenico
00B0: 31 11 30 0F 06 03 55 04 0A 0C 08 49 6E 67 65 6E 1.0...U....Ingen
00C0: 69 63 6F 31 1C 30 1A 06 03 55 04 0B 0C 13 49 6E ico1.0...U....In
00D0: 67 65 6E 69 63 6F 20 53 69 67 6E 69 6E 67 20 43 genico Signing C
00E0: 41 31 1C 30 1A 06 03 55 04 03 0C 13 49 6E 67 65 A1.0...U....Inge
00F0: 6E 69 63 6F 20 53 69 67 6E 69 6E 67 20 43 41 30 nico Signing CA0
0100: 1E 17 0D 31 37 31 31 32 32 31 36 31 39 35 31 5A ...171122161951Z
0110: 17 0D 31 39 31 31 32 32 31 36 31 39 35 31 5A 30 *** ECDH ServerKeyExchange
Signature Algorithm SHA512withRSA
..191122161951Z0
0120: 68 31 0B 30 09 06 03 55 04 06 13 02 46 52 31 0F h1.0...U....FR1.
0130: 30 0D 06 03 55 04 07 13 06 46 72 61 6E 63 65 31 0...U....France1
0140: 11 30 0F 06 03 55 04 0A 13 08 49 6E 67 65 6E 69 .0...U....Ingeni
0150: 63 6F 31 0C 30 0A 06 03 55 04 0B 13 03 41 50 4F co1.0...U....APO
0160: 31 27 30 25 06 03 55 04 03 13 1E 70 70 6A 62 69 1'0%..U....ppjbi
Server key: Sun EC public key, 256 bits
  public x coord: 94603154185594758712177503329309423254472990815864490343227687521905671056078
  public y coord: 55741497693188403891737767541228575825312812852334675528804140042533062606815
  parameters: secp256r1 [NIST P-256, X9.62 prime256v1] (1.2.840.10045.3.1.7)
0170: 65 73 31 2E 73 65 72 76 69 63 65 73 2E 69 6E 67 es1.services.ing
0180: 65 6E 69 63 6F 2E 63 6F 6D 30 82 01 22 30 0D 06 enico.com0.."0..
0190: 09 2A 86 48 86 F7*** CertificateRequest
Cert Types: RSA 0D 01 01 01 05 00 03 82 01 0F .*.H............
01A0: 00 30 82 01 0A 02 82 01 01 00 8F 1A 0B C4 67 3F .0............g?
01B0: BC 37 24 27 1F 3A 31 60 30 03 8A BE 26 FE 5E 38 .7$'.:1`0...&.^8
01C0: 94 5F A8 48 54 F6 BC 21 FB 23 13 E9 AF 96 0A 6A ._.HT..!.#.....j
01D0: A2 CE A2 40 03 7D 2B 5E 2F 59 03 6A AA A5 E5 8C ...@..+^/Y.j....
01E0: 21 0E 70 CC D4 9C 44 B9 1E 54 57 E1 F9 DC 7E AC !.p...D..TW.....
01F0: F0 3B 43 0F 5A B5 D4 55 89 24 9D 83 E3 3C C2 89 , DSS, ECDSA .;C.Z..U.\.\.\.&lt;\.\. 0200: 08 E3 54 55 2F 20 CD C8 03 DC 32 C6 FE 37 88 06 Supported Signature Algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA, SHA256withDSA, SHA224withECDSA, SHA224withRSA, SHA224withDSA, SHA1withECDSA, SHA1withRSA, SHA1withDSA Cert Authorities: \.\.TU/ \.\.\.\.2\.\.7\.\. 0210: C4 DD B8 EC AB 2C F4 0C ED CF 9C 94 4C 1F 85 C8 \.\.\.\.\.,\.\.\.\.\.\.L\.\.\. 0220: FD 7E 1F 3E F0 6D 33 DB E3 06 A2 CB 87 09 DA 95 \.\.\.&gt;\.m3\.\.\.\.\.\.\.\.\. 0230: 3B BB EB 19 B8 C3 CC 50 &lt;CN=Ingenico Root CA, OU=Ingenico Root CA, O=Ingenico, DC=ingenico, DC=com&gt; &nbsp;&nbsp;0C E6 EA D4 63 B5 22 8F ;\.\.\.\.\.\.P\.\.\.\.c\.&quot;\. 0240: 26 4B&lt;CN=jira, OU=APO, O=Ingenico, L=France, C=FR&gt; 56 9B 50 3D E5 96 6A 57 8E 71\*\*\* ServerHelloDone 31\[write\] MD5 and SHA1 hashes: len = 2826 B6 21 DE &amp;KV\.P=\.\.jW\.q1\.\!\. 0250: 2B 4B 37 45 A6 5A A8 ED C3 8D E4 1D FF 76 0B CD \+K7E\.Z\.\.\.\.0\.\.\.v\.\. 0260000: 5E 79 C5 E5 55 13 01 AA 2B 59 43 C3 D0 A2 94 A6 ^y\.\.U\.\.\.\+YC\.\.\.\.\. 0270: 4F A6 F7 5F C8 35 04 8E: 02 00 00 4D 03 03 5A 18 1B F9 C5 14 F0 AB 83 9B \.\.\.M\.\.Z\.\.\.\.\.\.\.\.\. 0010: EF 65 7D DF 07 F2 53 66 ED 4B 70 B4 D5 48 19 8F \.e\.\.\.\.Sf\.Kp\.\.H\.\. 0020: 6E 4F B9 16 3D E5 20 5A 18 1B F9 62 D1 DA 82 51 nO\.\.=\. Z\.\.\.b\.\.\.Q 0030: FB E9 2A 89 3B E6 DC 82 49 AA CD 9C E2 65 9F 27 4D 45 93 52 O\.\.\_\.5\.\.\.e\.&#39;ME\.R 0280: DF 22 A2 B8 B7 B1 BE 30 7B 1C 73 A7 \.\.\*\.;\.\. 30 CC A0 4C 0E 04 32 F2 \.&quot;\.\.\.\.\.00\.\.L\.\.2\. 0290: 21 86 AA 54 44 A3 AB 65 A6 26 57 3E 92 7D 57 40 \!\.\.TD\.\.e\.&amp;W&gt;\.\.W@ 02A0: B3 55 4A 68 F7 17 66 56 4B 61 02 03 01 00 01 A3 \.UJh\.\.fVKa\.\.\.\.\.\. 02B0: 82 01 25 30 82 01 21 30 0E 06 03 55 1D 0F 01 01 \.\.%0\.\.\!0\.\.\.U\.\.\.\. 02C0: FF 04 04 03 02 05 A0 30 09 06 03 55 1D 13 04 02 \.\.\.\.\.\.\.0\.\.\.U\.\.\.\. 02D0: 30 00 30 1D 06 03 55 1D 25 04 16 30 14 06 08 2B 0\.0\.\.\.U\.%\.\.0\.\.\.\+ 02E0: 06 01 05 05 07 03 01 06 08 2B 06 01 05 05 07 03 \.\.\.\.\.\.\.\.\.\+\.\.\.\.\.\. 02F0: 02 30 1D 06 03 55\.I\.\.\.\.\.s\. 0040: AD 12 34 00 A6 DB 0A C0 27 00 00 05 FF 01 00 01 \.\.4\.\.\.\.\.&#39;\.\.\.\.\.\.\. 0050: 00 0B 00 08 70 00 08 6D 00 04 8C 30 82 04 88 30 \.\.\.\.p\.\.m\.\.\.0\.\.\.0 0060: 82 03 70 A0 03 02 01 02 02 01 02 1D 0E 04 16 04 14 77 B4 4D 46 \.0\.\.\.U\.\.\.\.\.\.w\.MF 0300: B5 92 47 48 17 91 6F 23 5F 46 61 56 7C 0C C1 C8 30 0D 06 09 2A \.\.GH\.\.o\#\_FaV\.\.\.\. 0310: 30 1F 06 03 55 1D 23 04 18 30 16 80 14 93 58 51 \.\.p\.\.\.\. 0\.\.\.U\.\#\.\.0\.\.\.\.XQ 0320: F7 1A 12 15 21 9D 13 F8 90 18 22 47 5A BD 9E 2B \.\.\.\.\!\.\.\.\.\.&quot;GZ\.\.\+ 0330: 70 30 62 06 03 55 1D 1F 04 5B 30 59 30 57 A0 55 p0b\.\.U\.\.\.\.\.\.0\.\.\.\* 0070: 86 48 86 F7 0D 01 01 0B 05 00 30 7E 31 13 30 11 \.H\.\.\.\.\.\.\.\.0\.1\.0\. 0080: 06 0A\.\[0Y0W\.U 0340: A0 53 86 51 68 74 74 70 73 3A 2F 2F 72 61 77 2E \.S\.Qhttps://raw\. 0350: 67 69 74 68 75 62 75 73 65 72 63 6F 6E 74 65 6E 09 92 26 89 93 F2 2C 64 01 19 16 03 63 6F githubuserconten 0360: 74 2E 63 6F 6D 2F 66 6C 6F 72 61 67 75 6E 6E 63 t\.com/floragunnc 0370: 6F 6D 2F 75 6E 69 74 74 65 73 74 2D 61 73 73 65 om/unittest\-asse 0380: 74 73 2F 6D 61 73 74 65 72 2F 72 65 76 6F 6B 65 ts/master/revoke 0390: 64 2E 63 72 6C 30 41 06 03 55 1D 11 04 3A 30 38 d\.crl0A\.\.U\.\.\.:08 03A0: 82 1E 70 70 6A 62 69 65 73 31 2E 73 65 72 76 69 \.\.ppjbies1\.servi 03B0: 63 65 73 2E 69 6E 67 65 6E 69 63 6F 2E 63 6F 6D ces\.ingenico\.com \.\.\.\.&amp;\.\.\.,d\.\.\.\.co 0090: 6D 31 18 30 16 06 0A 09 92 26 89 93 F2 2C 64 01 m1\.0\.\.\.\.\.&amp;\.\.\.,d\. 00A0: 19 16 08 69 6E 67 65 6E 69 63 6F 31 11 30 0F 06 \.03C0\.\.ingenico1\.0\.\.: 82 09 6C 6F 63 61 6C 68 6F 73 74 87 04 AC 15 16 \.\.localhost\.\.\.\.\. 03D0: 26 88 05 2A 03 04 05 05 30 0D 06 09 2A 86 48 86 &amp;\.\.\*\.\.\.\.0\.\.\.\*\.H\. 03E0: F7 0D 01 01 0B 05 00 03 82 01 01 00 89 17 4E 12 \.\.\.\.\.\.\.\.\.\.\.\.\.\.N\. 03F0: 56 7F 43 5D 3C CE D9 F1 96 A5 68 ED 3E 1A E1 31 V\.C\]&lt;\.\.\.\.\.h\.&gt;\.\.1 0400: 76 A7 5D 97 E8 52 77 DA 3D F4 39 07 EB 2B 19 5E v\.\]\.\.Rw\.=\.9\.\.\+\.^ 0410: 78 32 B6 0D 02 79 C4 00 C1 79 A4 02 84 B8 6D B8 x2\.\.\.y\.\.\.y\.\.\.\.m\. 0420: 6E CC 04 53 A4 D5 5E 80 20 D5 CC 37 39 A0 C2 47 n\.\.S\.\.^\. \.\.79\.\.G 0430: 29 5A 4A 08 28 5B CD 7E 26 11 2E 30 43 16 64 36 \)ZJ\.\(\[\.\.&amp;\.\.0C\.d6 0440: 69 42 8A E1 E2 0C 4D BC 4E 63 57 06 82 C8 55 CA iB\.\.\.\.M\.NcW\.\.\.U\. 0450: B1 85 57 CF D7 C0 1C 43 55 F3 72 B6 29 C4 4A 64 \.\.W\. 00B0: 03 55 04 0A 0C 08 49 6E 67 65 6E 69 63 6F 31 1C \.U\.\.\.\.Ingenico1\. 00C0\.\.\.CU\.r\.\)\.Jd 0460: 88 4B 7F 25 A1 59 E9 FB A9 B2 B5 1D 73 70 30 CA \.K: 30 1A 06 03 55 04 0B 0C 13 49 6E 67 65 6E 69 63 0\.\.\.U\.\.\.\.Ingenic 00D0: 6F 20 53 69 67 6E 69 6E 67 20 43 41 31 1C 30 1A o Signing CA1\.0\. 00E0: 06 03 55 04 03 0C 13 49 6E 67 65 6E 69 63 6F 20 \.\.U\.\.\.\.Ingenico 00F0: 53 69 67 6E 69 6E 67 20 43 41 30 1E 17 0D 31 37 Signing CA0\.\.\.17 0100: 31 31 32 32 31 36 31 39 35 31 5A 17 0D 31 39 31 1122161951Z\.\.191 0110: 31 32 32 31 36 31 39 35 31 5A 30 68 31 0B 30 09 122161951Z0h1\.0\. \.%\.Y\.\.\.\.\.\.sp0\. 0470: 33 D7 F3 0F B1 3D 0C 71 0120 F6 BA BA 22 EF F8 7C DE 3\.\.\.\.=\.q\.\.\.&quot;\.\.\.\. 0480: F0 31: 06 03 55 04 06 13 02 46 52 31 0F 30 0D 06 03 55 \.\.U\.\.\.\.FR1\.0\.\.\.U 0130: 04 07 13 06 46 72 61 6E 63 65 31 11 30 0F 06 03 \.\.\.\.France1\.0\.\.\. 0140: 55 04 0A 13 08 49 6E 67 65 6E 69 63 6F 31 0C 30 U\.\.\.\.Ingenico1\.0 0150: 0A 06 03 55 04 0B 13 03 41 50 4F 31 27 30 25 06 \.\. 41 A9 76 8E 05 3D 03 12 3F AA E2 17 F5 5F \.1A\.v\.\.=\.\.?\.\.\.\.\_\.U\.\.\.\.APO1&#39;0%\. 0160: 03 55 04 03 13 1E 70 70 6A 62 69 65 73 31 2E 73 \.U\.\.\.\.ppjbies1\.s 0170: 65 72 76 69 63 65 73 2E 69 6E 67 65 6E 69 63 6F ervices\.ingenico 0180: 2E 63 6F 6D 30 82 01 22 30 0D 06 09 2A 86 48 86 \.com0\.\.&quot;0\.\.\.\*\.H\. 0190: F7 0D 01 01 01 05 00 03 82 01 0F 00 30 82 01 0A \. 0490: FA 4D EE 80 89 8C 6F 27 24 A6 B2 0F 00 36 07 2F \.M\.\.\.\.o&#39;....6./
04A0: BA 62 B3 1A 0F 93 5D 81 72 3B AB 42 A9 A4 81 B9 .b....].r;.B....
...........0...
01A0: 02 82 01 01 00 8F 1A 0B C4 67 3F BC 37 24 27 1F .........g?.7$'.04B0
01B0: 3A 31 60 30 03 8A BE 26 FE 5E 38 94 5F A8 48 54 :1`0...&.^8._.HT
01C0: F6 BC 21 FB 23 13 E9 AF 96 0A 6A A2 CE A2 40 03 ..!.#.: F0 EF 67 57 CD EA C1 BE BF CB 20 DE E5 11 F3 35 ..gW...... .....j...@.
01D0: 7D 2B 5E 2F 59 03 6A AA A5 E5 8C 21 0E 70 CC D4 .+^/Y.j....!.p..
01E0: 9C 44 B9 1E 54 57 E1 F9 DC 7E AC F0 3B 43 0F 5A .D..TW......;C.Z
...5
01F004C0: 62 58 F4 08 E1 BC D6 B2 A6 DC 93 45 9F 79 6E DC bX.........E.yn.
04D0: F0 1B A8 CA 44 F6 86 0E DA 38 0D E1 B1 76 BB 47 ....D....8...v.G
: B5 D4 55 89 24 9D 83 E3 3C C2 89 08 E3 54 55 2F ..U.\.\.\.&lt;\.\.\.\.TU/ 0200: 20 CD C8 03 DC 32 C6 FE 37 88 06 C4 DD B8 EC AB \.\.\.\.2\.\.7\.\.\.\.\.\.\. 0210: 2C F4 0C ED CF 9C 94 4C 1F 85 C8 FD 7E 1F 3E F0 ,\.\.\.\.\.\.L\.\.\.\.\.\.&gt;\. 0220: 6D 33 DB E3 06 A2 CB 87 09 DA 95 3B BB EB 19 B8 m3\.\.\.\.\.\.\.\.\.;\.\.\.\. 04E00230: C3 CC 50 0C E6 EA D4 63 B5 22 8F 26 4B 56 9B 50 \.\.P\.\.\.\.c\.&quot;\.&amp;KV\.P 0240: 3D E5 96 6A 57 8E 71 31 B6 21 DE 2B 4B 37 45 A6 =\.\.jW\.q1\.\!\.\+K7E\. 0250: 5A A8 ED C3 8D E4 1D FF 76 0B CD 5E 79 C5 E5 55 Z\.\.\.\.\.\.\.v\.\.^y\.\.U 0260: 13 01 AA 2B 59 43 C3 D0 A2 94 A6 4F A6 F7 5F C8 \.\.\.\+YC\.\.\.\.\.O\.\.\_\. 0270: 35 04 8E E2 65 9F 27 4D 45 93 52 DF 22 A2 B8 B7 5\.\.\.e\.&#39;ME\.R\.&quot;\.\.\. 0280: B1 BE 30 30 CC A0 4C 0E 04 32 F2 21 86 AA 54 44 \.\.00: 0A 49 DA CF F2 E4 6E 8F E1 37 9C F8 00 03 DB 30 \.I\.\.\.\.n\.\.7\.\.\.\.\.0 04F0: 82 03 D7 30 82 02 BF A0 03 02\.\.L\.\.2\.\!\.\.TD 0290: A3 AB 65 A6 26 57 3E 92 7D 57 40 B3 55 4A 68 F7 \.\.e\.&amp;W&gt;\.\.W@\.UJh\. 02A0: 17 66 56 4B 61 02 03 01 00 01 A3 82 01 25 30 82 01 02 02 01 02 30 \.\.\.0\.\.\.\.\.\.\.\.\.\.\.0 0500: 0D 06 09 2A 86 \.fVKa\.\.\.\.\.\.\.\.%0\. 02B0: 01 21 30 0E 06 03 55 1D 0F 01 01 FF 04 04 03 02 \.\!0\.\.\.U\.\.\.\.\.\.\.\.\. 02C0: 05 A0 30 09 06 0 3 55 1D 13 04 02 30 00 30 1D 06 \.\.0\.\.\.U\.\.\.\.0\.0\.\. 02D0: 03 55 1D 25 04 16 30 14 06 08 2B 06 01 05 05 07 \.U\.%\.\.0\.\.\.\+\.\.\.\.\. 02E0: 03 01 06 08 2B 06 01 05 05 07 03 02 30 1D48 06 03 \.\.\.\.\+\.\.\.\.\.\.\.0\.\.\. 02F0: 55 1D 0E 04 16 04 14 77 B4 4D 46 B5 92 47 48 17 U\.\.\.\.\.\.w\.MF\.\.GH\. 0300: 91 6F 23 5F 46 61 56 7C 0C C1 C8 30 1F 06 03 55 \.o\#\_FaV\.\.\.\.0\.\.\.U 0310: 1D 23 04 18 30 16 80 14 93 58 51 F7 1A 12 15 21 \.\#\.\.0\.\.\.\.XQ\.\.\.\.\! 0320: 9D 13 F8 90 18 22 47 5A BD 9E 2B 70 30 62 06 03 \.\.\.\.\.&quot;GZ\.\.\+p0b\.\. 0330: 55 1D 1F 04 5B 30 59 30 57 A0 55 A0 53 86 51 68 U\.\.\.\[0Y0W\.U\.S 86 F7 0D 01 01 0B 05 00 30 78 \.\.\.\*\.H\.\.\.\.\.\.\.\.0x \.Qh 0340: 74 74 051070 73 3A 2F 2F 72 61 77 2E 67 69 74 68 75 ttps://raw\.githu 0350: 62 75 73 65 72 63 6F 6E 74 65 6E 74 2E 63 6F 6D busercontent\.com 0360: 31 13 30 11 06 0A 09 92 26 89 93 F2 2C 64 01 19 1\.0\.\.\.\.\.&amp;\.\.\.,d\.\. : 2F 66 6C 6F 72 61 67 75 6E 6E 630520 6F 6D 2F 75 6E /floragunncom/un 0370: 69 74 74 65 73 74 2D 61 73 73 65 74 73 2F 6D 61 ittest\-assets/ma 0380: 73 74 65 72 2F 72 65 76 6F 6B 65 64 2E 63 72 6C : 16 03 63 6F 6D 31 18 30 ster/revoked\.crl 0390: 30 41 06 03 55 1D 11 04 3A 30 38 82 1E 70 70 6A 0A\.\.U\.\.\.:08\.\.ppj 03A0: 62 69 65 73 31 2E 73 65 72 76 69 63 65 73 2E 69 bies1\.services\.i &nbsp;&nbsp;16 06 0A 09 92 26 89 93 03B0\.\.com1\.0\.\.\.\.\.&amp;\.\. 0530: F2 2C 64 01 19 16 08 69 6E 67 65 6E 69 63 6F 31 \.,d\.\.\.\.ingenico1 0540: 11 30 0F 06 03 55 04 0A 0C 08 49 6E 67 65 6E 69 \.0\.\.\.U\.\.\.\.Ingeni 0550: 63 6F 31 19 30 17 06 03 55 04 0B 0C 10 49 6E 67 co1\.0\.\.\.U\.\.\.\.Ing 0560: 65 6E 69 63 6F 20 52 6F 6F 74 20 43 41 31 19 30 enico Root CA1\.0 0570: 17 06 03 55 04 03 0C 10 49 6E 67 65 6E 69 63 6F \.\.\.U\.\.\.\.Ingenico 0580: 20 52 6F 6F 74 20 43 41 30 1E 17 0D 31 37 31 31 Root CA0\.\.\.1711 0590: 32 32 31 36 31 39 34 38 5A 17 0D 32 37 31 31 32 22161948Z\.\.27112 05A0: 32 31 36 31 39 34 38 5A 30 7E 31 13 30 11 06 0A 2161948Z0\.1\.0\.\.\. : 6E 67 65 6E 69 63 6F 2E 63 6F 6D 82 09 6C 6F 63 ngenico\.com\.\.loc 03C0: 61 6C 68 6F 73 74 87 04 AC 15 16 26 88 05 2A 03 alhost\.\.\.\.\.&amp;\.\.\*\. 03D0: 04 05 05 30 0D 06 09 2A 86 48 86 F7 0D 01 01 0B \.\.\.0\.\.\.\*05B0\.H\.\.\.\.\.\. 03E0: 05 00 03 82 01 01 00 89 17 4E 12 56 7F 43 5D 3C \.\.\.\.\.\.\.\.\.N\.V\.C\]&lt;: 09 92 26 89 93 F2 2C 64 01 03F0: CE D9 F1 96 A5 68 ED 3E 1A E1 31 76 A7 5D 97 E8 \.\.\.\.\.h\.&gt;\.\.1v\.\]\.\. 0400: 52 77 DA 3D F4 39 07 EB 2B 19 5E 78 32 B6 0D 02 Rw\.=\.9\.\.\+\.^x2\.\.\. 0410: 79 C4 00 C1 79 A4 02 84 B8 6D B8 6E CC 04 53 A4 y\.\.\.y\.\.\.\.m\.n\.\.S\. 0420: D5 5E 80 20 D5 CC 37 39 A0 C2 47 29 5A 4A 08 28 \.^\. \.\.79\.\.G\)ZJ\.\( 0430: 5B CD 7E 26 11 2E 30 43 16 64 36 69 42 8A E1 E2 \[ 19 16 03 63 6F 6D 31 \.\.&amp;\.\.\.,d\.\.\.\.com1 05C0: 18 30 16 06 0A 09 92 26 89 93 F2 2C 64 01 19 16 \.0\.\.\.\.\.&amp;\.\.\.,d\.\.\. 05D0: 08 69 6E 67 65 6E 69 63 6F 31 11 30 0F 06 03 55 \.ingenico1\.0\.\.\.U 05E0: 04 0A 0C 08 49 6E 67 65 6E 69 63 6F 31 1C 30 1A \.\.\.\.Ingenico1\.0\. 05F0: 06 03 55 04 0B 0C 13 49 6E 67 65 6E 69 63 6F 20 \.\.U\.\.\.\.Ingenico 0600: 53 69 67 6E 69 6E 67 20 43 41 31 1C 30 1A 06 03\.\.&amp;\.\.0C\.d6iB\.\.\. 0440: 0C 4D BC 4E 63 57 06 82 C8 55 CA B1 85 57 CF D7 \.M\.NcW\.\.\.U\.\.\.W\.\. 0450: C0 1C 43 55 F3 72 B6 29 C4 4A 64 88 4B 7F 25 A1 \.\.CU\.r\.\)\.Jd\.K\.%\. 0460: 59 E9 FB A9 B2 B5 1D 73 70 30 CA 33 D7 F3 0F B1 Y\.\.\.\.\.\.sp0\.3\.\.\.\. 0470: 3D 0C 71 F6 BA BA 22 EF F8 7C DE F0 31 41 Signing CA1\.0\.\.\. 0610: 55 04 03 0C 13 49 6E 67 65 6E 69 63 6F 20 53 69 U\.\.\.\.Ingenico Si 0620: 67 6E 69 6E 67 20 43 41 30 82 01 22 30 0D 06 09 gning CA0\.\.&quot;0\.\.\. 0630: 2A 86 48 86 F7 0D 01 01 01 05 00 03 82 01 0F 00 \*\.H\.\.\.\.\.\.\.\.\.\.\.\.\. 0640: 30 82 01 0A 02 82 01 01 00 C9 38 24 AC 9F 51 53 0\.\.\.\.\.\.\.\.\.8..QS
0650: FE 46 D0 06 97 2A 68 55 68 F4 26 3A 0F 27 0E 6E A9 76 =.q...".....1A.v
0480: 8E 05 3D 03.F...*hUh.&:.'.n
0660: CB 2B CB D7 6D 7F D2 37 6B F8 6D 34 EA A9 BE 53 .+..m..7k.m4...S
0670: 04 11 09 C1 12 3F AA E2 17 F5 5F FA 4D EE 8042 89 ..=..?...._.M...
0490: 8C 6F 27 24 A6 B2 0F 00 36 07 2F BA 62 B3 1A 0F .o'$....6./.b...
04A0: 93 5D 81 72 3B AB 42 A9 A4 81 B9 F0 EF 67 57 CD .].r;.B......gW.
04B0: EA C1 BE BF CB 20 DE E5 11 F3 35 62 58 F4 08 E1 ..... ....5bX...
04C0: BC D6 B2 A6 DC 93 45 9F 79 6E DC F0 1B A8 CA 44 ......E.yn.....D
04D0: F6 86 0E DA 38 0D E1 B1 76 BB 47 0A 49 DA CF F2 ... FA 5D 5D 4A CA 48 25 C3 F7 6C 37 ....B.]]J.H%..l7
0680: 37 86 B0 70 22 3F BA F6 E9 D4 DA 2C DB 48 4F 48 7..p"?.....,.HOH
0690: F0 9A CF AA 60 11 6D 4E 40 35 86 9C 15 8A 1E 3D ....8...v.G.I...
04E0: E4 6E 8F E1 37 9C F8 00 03 DB 30 82 03 D7 30 82 .n..7.....0...0.
04F0: 02 BF A0 03 02 01 02 02 01 02 30 0D 06 09 2A 86 ..........0...*.
0500: 48 86 F7 0D 01 01 0B.`.mN@5.....= 05 00 30 78 31 13 30 11 06 H........0x1.0..
0510: 0A 09 92 26 89 93 F2 2C 64 01 19 16 03 63 6F 6D ...&...,d....com

06A0: 25 CE B4 EF 10 4C C9 A6 82 47 3D AA 32 13 C3 9C %....L...G=.2...
06B0: 9A C8 29 BE 70 9F 20 B9 4B C9 26 01 CC DE 68 86 ..).p. .K.&...h.
06C0: C1 87 D5 62 3D FD 9F 8D FE A7 09 F4 9E 0B A9 46 ...b=..........F
06D0: 31 E7 D8 E6 DA 97 5F 10 75 66 EA D6 AE 05 39 C6 1....._.uf....9.
06E0: FD 4A 78 44 58 7D F9 00 4A D7 2B 74 1B 3C 3E 06 .JxDX...J.+t.<>.
06F0: 34 A9 6C 80 78 84 74 E4 B5 14 5A 2A CA 02 46 65 4.l.x.t...Z*..Fe
0700: C1 26 90 63 05 5C 71 29 FE 29 2C 0D F3 73 2E 46 .&.c.\q).),..s.F
0710: 8D AA 4A 3B 1D 1F 8D 0C AE D1 97 83 C3 F6 2E 49 ..J;...........I
0720: 08 2F 91 0B 5A AF A9 A5 A9 7D CE 3D 4D 4B A9 4A ./..Z......=MK.J
0730: C9 26 71 4C 3C 9C 5E A7 5C 25 CB FA 7D 11 53 E7 .&qL<.^.\%....S.
0740: F7 4E AA 79 DC 78 1E CD 9B 02 03 01 00 01 A3 66 .N.y.x.........f
0750: 30 64 30 0E 06 03 55 1D 0F 01 01 FF 04 04 03 02 0d0...U.........
0760: 01 06 30 12 06 03 55 1D 13 01 01 FF 04 08 30 06 ..0520: 31 18 30 16 06 0A 09 92 26 89 93 F2 2C 64 01 19 1.0.....&...,d..
0530: 16 08 69 6E 67 65 6E 69 63 6F 31 11 30 0F 06 03 ..ingenico1.0...
0540: 55 04 0A 0C 08 49 6E 67 65 6E 69 63 6F 31 19 30 U....Ingenico1.0
0550: 17 06 03 55 04 0B 0C 10 49 6E 67 65 6E 69 63 6F ..0.U....Ingenico
0560: 20 52 6F 6F 74 20 43 41 31 19 30 17 06 03 55 04 Root CA1.0...U.
0570: 03 0C 10 49 6E 67 65 6E 69 63 6F 20 52 6F 6F 74 ...Ingenico Root
0580: 20 43 41 30 1E 17 0D 31 37 31 31 32 32 31 36 31 CA0...171122161
...U.......0.
0770: 01 01 FF 02 01 00 30 1D 06 03 55 1D 0E 04 16 04 ......0...U.....
0780: 14 93 58 51 F7 1A 12 15 21 9D 13 F8 90 18 22 47 ..XQ....!....."G
0790: 5A BD 9E 2B 70 30 1F 06 03 55 1D 23 04 18 30 16 Z..+p0...U.#..0.
07A0: 80 14 0E 89 24 A6 59 CB F2 62 5B FA BA 41 24 3C ....\.Y\.\.b\[\.\.A<
07B0: AF 81 23 11 31 8B 30 0D 06 09 2A 86 48 86 F7 0D ..#.1.0...*.H...
07C0: 01 01 0B 05 00 03 82 01 01 00 02 32 49 FB 25 7C ...........2I.%.
07D0: 47 CC 17 38 5B 00 F8 D6 5E D7 2F FA E6 BC 4B 81 G..8[...^./...K.
07E0: B7 1A 91 8F 38 AD DA 5B 54 DF 13 DB 56 9B 51 CC ....8..[T...V.Q.
07F0: 0A C8 F4 07 EF 53 95 94 DD 98 9F EB A2 FE 09 7D .....S..........
0800: E5 23 F6 B5 B5 B2 0D 59 71 66 B1 64 A5 3A 59 C9 .#.....Yqf.d.:Y.
0810: 44 7F 01 B7 AE 5E F3 E1 79 08 24 BB C9 CA AC 5F D....^..y.\.\.\.\.\_ 0820: BD B4 D5 76 36 3D CA 07 0E 39 02 8D 23 84 FA 80 \.\.\.v6=\.\.\.9\.\.\#\.\.\. 0830: 2C A5 74 2D B2 36 DF CA E5 F9 8C 90 C1 CD 7F 3A ,\.t\-\.6\.\.\.\.\.\.\.\.\.: 00840: 0D 85 54 D9 E9 77 93 D6 590 : 39 34 38 5A 17 0D 32 37 31 31 32 32 31 36 31 39 948Z\.\.2711221619 05A0: 34 38 5A 30 7E 31 13 30 11 06 0A 09 92 26 89 93 48Z0\.1\.0\.\.\.\.\.&amp;\.\. 05B0: F2 2C 64 01 19 16 03 63 6F 6D 31 18 30 16 06 0A \.,d\.\.\.\.com1\.0\.\.\. 05C0E8: 09 92 26 89 93 F2 2C 64 01 19 16 08 69 6E 67 65 \.\.&amp;\.\.\.,d\.\.\.\.inge 05D0: 6E 69 63 6F 31 11 30 0F 06 03 55 04 0A 0C 08 49 nico1\.0\.\.\.U\.\.\.\.I 05E0: 6E 67 65 6E 69 63 6F 31 1C 30 1A 06 03 55 04 0B ngenico1\.0\.\.\.U\.\. 05F0: 0C 13 49 6E 67 65 6E 69 63 6F 20 53 69 67 6E 69 D4 41 F1 A9 93 6B 03 \.\.T\.\.w\.\.\.\.A\.\.\.k\. 0850: E5 C0 91 3B 3C 9C 4C B6 21 ED 2D C7 20 9A D4 CC \.\.\.;&lt;\.L\.\!\.\-\. \.\.\.\.\.Ingenico Signi 0600: 6E 67 20 43 41 31 1C 30 1A 06 03 55 04 03 0C 13 ng CA1\.0\.\.\.U\.\.\.\. 0610: 49 6E 67 65 6E 69 63 6F 20 53 69 67 6E 69 6E 67 Ingenico Signing 0620: 20 43 41 30 82 0860: 22 23 01 6D 01 22 30 96 B4 3C 8F 78 25 7E ED 4A DA 14 BC &quot;\# 0D 06 09 2A 86 48 86 F7 CA0\.\.&quot;0\.\.\.\*\.H\.\. 0630: 0D 01 01 01 05 00 03 82 01 0F 00 30 82 01 0A 02 \.\.\.\.\.\.\.\.\.\.\.0\.\.\.\. 0640: 82 01 01 00 C9 38 24 AC 9F 51 53 FE 46 D0 06 97 \.\.\.\.\.8..QS.F...
0650: 2A 68 55 68 F4 26 3A 0F 27 0E 6E CB 2B CB D7 6D *hUh.&:.'.n.+..m
0660: 7F D2 37 6B F8 6D 34 EA .m..<.x%..J...
0870: 9C 7D 4C BF 94 60 82 BB BC 53 AC 00 2B 50 45 74 A9..L..`...S..+PEt
0880: F2 71 4D BF 7F B9 CF 96 27 CC D2 27 E2 37 CE 84 .qM.....'..'.7..
0890: 0D 7F F2 3E E6 06 63 5A E6 71 1F 08 14 B4 C4 A4 ...>..cZ.q......
08A0: E0 F0 9E CB AA 10 FF BA 63 95 96 BD 13 25 5B 3D ........c....%[=
08B0: D5 51 FF 76 00 3E 57 84 30 EC AC B3 7D 02 07 D2 .Q.v.>W.0.......
08C0: 93 5A 00 D4 B0 E9 97 86 9A 23 0C 00 01 49 03 00 .Z.... BE 53 04 11 09 C1 42 ..7k.m4...S....B
0670: FA 5D 5D 4A CA 48 25 C3 F7 6C 37 37 86 B0 70 22 .]]J.H%..l77..p"
0680...#...I..
08D0: 17 41 04 17 F0 E9 F0 D9 ED 60 8B 0C 3A B9 26 06 .A......: 3F BA F6 E9 D4 DA 2C DB 48 4F 48 F0 9A CF AA 60 .`..:.&.
08E0: CF 38 39 4C A0 E9 0E 20 99 FE 2A 60 00 31 18 0B .89L... ..*`.1..
08F0: 15 45 6D EA 12 B2 F6 8D E9 55 9C EC C1 05 F4 4F .Em......U.....O
0900: 46 E5 16 63 60 BD 5B BC ?.....,.HOH....`
0690: 11 6D 4E 40 35 86 9C 15 8A 1E 3D 25 CE B4 EF 10 .mN@5.....=%....
06A0: 4C C9 A6 82 47 3D AA 32 13 C3 9C 9A C8 29 BE 70 L...G=.2.....).p
06B0: 9F 20 B9 4B C9 26 01 CC DE 68 86 C1 87 D5 62 3D . .K.&...h....b=
06C0: FD 9F 8D FE A7 09 F4 9E 0B A9 46 31 E7 D8 E6 DA ..........F1....
06D0: 97 5F 10 75 66 EA D6 AE 05 39 C6 FD 4A 78 44 58 ._.uf....9..JxDX
06E0: 7D F9 00 4A D7 2B 74 1B 3C 3E 06 34 A9 6C 80 78 93 3C D2 3C 9B 69 73 93 F..c`.[..<.<.is.
0910: 8A 33 4F 06 01 01 00 81 66 29 2B D9 A0 A4 D3 1F .3O.....f)+.....
0920: 4D 14 24 E7 10 FC EB 1D 95 B0 11 39 F2 A1 FA 43 M.\.\.\.\.\.\.\.\.9\.\.\.C 0930: AF 91 C9 E5 E9 42 21 A4 AF A9 3B 4A 6B 2C 16 0B \.\.\.\.\.B\!\.\.\.;Jk,\.\. 0940: E0 2D 84 8E 51 5E C7 CA FB EA 89 DF FC 08 1F F5 \.\-\.\.Q^\. \.\.\.J\.\+t\.&lt;&gt;\.4\.l\.x 06F0: 84 74 E4 B5 14 5A 2A CA 02 46 65 C1 26 90 63 05 \.t\.\.\.Z\*\.\.Fe\.&amp;\.c\. 0700: 5C 71 29 FE 29 2C 0D F3 73 2E 46 8D AA 4A 3B 1D \\q\)\.\),\.\.s\.F\.\.J;\.\.\.\.\.\.\.\.\.\. 0950: 39 38 EF 9E DB A5 DD FB A1 61 E3 A0 6D F2 71 D5 98\.\.\.\.\.\.\.a\.\.m\.q\. 0960: 94 C9 D9 AF F5 E6 1A C1 0C 46 97 D9 35 85 34 30 \.\.\.\.\.\.\.\.\.F\.\.5\.40 0970: 18 0C 36 A5 CD C5 B4 D0 42 B9 0C 77 95 C1 5D E3 \.\.6\.\.\.\.\.B\.\.w\.\.\]\. 0980: 96 0710: 1F 8D 0C AE D1 97 83 C3 F6 2E 49 08 2F 91 0B 5A \.\.\.\.\.\.E3\.\.\.\.I\./\.\.Z 0720: AF A9 A5 A9 7D CE 3D 4D 4B A9 4A C9 26 71 4C 3C \.\.\.\.\.\.=MK\.J\.&amp;qL&lt; 0730: 9C 5E A7 5C 25 CB FA 7D 11 53 E7 F7 4E AA 79 DC \.^\.\\%\.\.\.\.S\.\.N\.y\. 0740: 78 1E CD 9B 02 03 01 00 01 A3 66 30 64 30 0E 06 x\.\.\.\.\.\.\.\.\.f0d0\.\. 0750: 03 55 1D 0F 01 01 FF 04 04 03 02 01 06 30 12 06 \.U\.\.\.\.\.\.\.\.\.\.\.0\.\. 0760: 03 55 1D 13 01 01 FF 04 08 30 06 01 01 FF 02 01 D8 00 53 A1 E3 98 4A 94 69 FA 13 65 9A 42 \.\.\.\.S\.\.\.J\.i\.\.e\.B 0990: B3 AC BF 13 12 29 B9 8E 0A 7E EC AE 3B 63 C7 F2 \.\.\.\.\.\) \.U\.\.\.\.\.\.\.0\.\.\.\.\.\.\.\.\.\.\.\.;c\.\. 09A0: 64 D7 77 BC 7D 6E 1B A8 3F 69 62 D7 77 0770: 00 30 1D 06 03 55 1D 0E 04 16 04 14 93 58 51 F7 \.0\.\.\.U\.\.\.\.\.\.\.XQ\. 0780: 1A 12 15 21 9D 13 F8 90 18 22 47 5A BD 3A C5 FD d\.w\.\.n\.\.?ib\.w:\.\. 09B0: 48 94 BA 01 CA B3 52 F9 9E 2B 70 \.\.\.\!\.\.\.\.\.&quot;GZ 49 38 0D E7 95 C1 7A D3 H\.\.\.\.\.R\.I8\.\.\.\.z\. \.\.\+p 0790: 30 1F 06 03 55 1D 23 04 18 30 16 80 14 0E 89 24 0\.\.\.U\.\#\.\.0\.\.\.\.\.
07A0: A6 59 CB F2 62 5B FA BA 41 24 3C AF 81 23 11 31 .Y..b[..A$<..#.1
07B0: 8B 30 0D 06 09 2A 86 48 86 F7 0D 01 01 0B 05 00 .0...*.H........
07C0: 03 82 01 01 00 02 32 49 FB 25 7C 47 CC 17 38 5B ......2I.%.G..8[
07D0: 00 F8 D6 5E D7 2F FA E6 BC 4B 81 B7 1A 91 8F 38 ...^./...K.....8
07E0: AD DA 5B 54 DF 13 DB 56 9B 51 CC 0A C8 F4 07 EF ..[T...V.Q09C0......
07F0: 53 95 94 DD 98 9F EB A2 FE 09 7D E5 23 F6 B5 B5 S...........#...
0800: B2 0D 59 71 66 B1 64 A5 3A 59 C9 44 7F 01 B7 AE ..Yqf.d.:Y.D....
0810: 5E F3 E1 79 08 24 BB C9 CA AC 5F BD B4 D5 76 36 ^..y.$...._...v6
0820: 3D CA 07 0E 39 02 8D 23 84 FA 80 2C A5 74 2D B2 =...9..#...,.t-.
0830: 36 DF CA E5 F9 8C 90 C1 CD 7F 3A 0D 85 54 D9 E9 6.........:..T..
: 69 5A 7C 4E 06 DF 25 54 0840 49 BB B7 6E A4 34 F7 42 iZ.N..%TI..n.4.B
09D0: 7B 5E 67 5A 5C 16 45 F0 E4 3A B9 C6 52 EB 73 2C .^gZ\.E..:..R.s,
09E0: 3D 14 B5 FC A3 AC EC 20 14 A0 C7 AB B0 22 CC F6 =...... ....."..
09F0: A3 F9 96 20 93 B0 E6 AA 68 D6 F3 3E 96 D3 02 1E ... ....h..>..: 77 93 D6 E8 D4 41..
0A00: 44 58 5E A8 17 17 F8 5B F1 A9 93 6B 03 E5 C0 91 3B 3C w.. DF 6E 2F 9A F8 A8 4D 3F DX^....[.n/...M?
0A10: 5F 8A CD A9 D7 6F BD 0D 00 00 F0 03 01 02 40 00 _....o........@.
0A20: 1A 06 03 06 01 05 03 05 01 04 03 04 01 04 02 03 ................
0A30: 03 03 01 03 02 02 03 02 01 02 02 00 CE 00 7A 30 ..........A...k....;<
0850: 9C 4C B6 21 ED 2D C7 20 9A D4 CC 22 23 01 6D 96 .L.!.-. ..."#.m.
0860: B4 3C 8F 78 25 7E ED 4A DA 14 BC 9C 7D 4C BF 94 .<.x%..J.....L..
0870: 60 82 BB BC 53 AC 00 2B 50 45 74 F2 71 4D BF 7F `...S..+PEt.qM..
0880: B9 CF 96 27 CC D2 27 E2 37 CE 84 0D 7F F2 3E E6 ...'..'.7.....>.
0890: 06 63 5A E6 71 1F 08 14 B4 C4 A4 E0 F0 9E CB AA .cZ.q...........
08A0: 10 FF BA 63 95 96 BD 13 25 5B 3D D5 51 FF 76 00 ...c....%[=.Q......z0
0A40: 78 31 13 30 11 06 0A 09 92 26 89 93 F2 2C 64 01 x1.0.....&...,d.
0A50: 19 16 03 63 6F 6D 31 18 30 16 06 0A 09 92 26 89.v.
08B0: 3E 57 84 30 EC AC B3 7D 02 07 D2 93 5A 00 D4 B0 >W.0........Z...
08C0: E9 97 86 9A 23 0C 00 01 49 03 00 17 41 04 D1 27 ....#...I...A..'
08D0: 7C DD CB DF EB D9 6F B1 9F E6 17 B9 0A 11 B3 65 ......o........e
08E0: 99 2D 57 E6 7F 41 17 F5 E5 45 72 DE AA CE 7B 3C .-W..A...Er....<
08F0: 91 D4 EB C8 B6 79 56 D0 DD 83 B1 08 76 86 48 D0 .....yV.....v.H.
  ...com1.0.....&.
09000A60: 93 F2 2C 64 01 19 16 08 69 6E 67 65 6E 69 63 6F ..,d....ingenico: 3E 65 0F DF 55 3C 18 18 2F A1 2F B4 7F DF 06 01 >e..U<.././.....
0910: 01 00 7F FD 35 55 01 64 21 1A B1
0A70: 31 11 30 0F 06 03 55 04 0A 0C 08 49 6E 67 65 6E 1.0...U....Ingen
0A80: 69 63 6F 31 19 30 17 06 03 55 04 0B 0C 10 49 6E ico1.0...U....In
0A90: 67 65 6E 69 63 6F 20 52 6F 6F 74 20 43 41 31 19 genico Root CA1.
0AA0 C6 D6 D3 BF 79 : 30 17 06 03 55 04 03 0C 10 49 6E 67 65 6E 69 63 0...U.. ....5U.d!..Ingenic
0AB0: 6F 20 52 6F 6F 74 20 43 41 00 50 30 4E 31 0B 30 o Root CA.P0N1.0
0AC0: 09 06 03 55 04 06 13 02 46 52 31 0F 30 0D 06 03 ...U....FR1.0...
0AD0: 55 04 07 13 06 46 72 61 6E 63 65 31 11 30 0F 06 U....France1.0..
0AE0: 03 55 04 0A 13 08 49 6E ......y
0920: F6 1F 6B CD EA 2F 95 A0 39 B2 14 26 F2 AD 60 A8 ..k../..9..&..`.
0930: 27 42 08 0E 96 A3 FA 21 31 C8 00 AC 54 0D 59 73 'B.....!1...T.Ys
0940: 56 F1 B7 D8 67 9F CD 2F 04 69 86 95 FB A1 D4 38 V...g../.i.....8
0950: 2E 66 5D 4C 90 34 02 9B 67 65 6E 69 63 6F 31 0C .U....Ingenico1.
0AF0: 30 0A 06 03 55 04 0B 13 03 41 50 4F 31 0D 30 0B 0...U....APO1.0.
0B00: 06 03 55 04 03 13 04 6A 69 72 61 0E 00 00 00 ..U....jira....
elasticsearch[ppjbies1][[transport_server_worker.default]][T#5], called closeOutbound()
elasticsearch[ppjbies1][[transport_server_worker.default]][T#5], closeOutboundInternal()
elasticsearch[ppjbies1][[transport_server_worker.default]][T#5], SEND TLSv1.2 ALERT: warning, description = close_notify
Padded plaintext before ENCRYPTION: len = 64
0000: 0E 89 FD D4 76 1B 81 11 05 B9 37 2F 95 BB 16 4C ....v.....7/...L
0010: 01 00 B7 DF 62 50 74 A5 39 30 21 82 32 4F F4 32 ....bPt.90!.2O.2
0020: 85 C1 72 EF 43 6A 8A 8A 0C 76 C6 0D EC E2 DE A8 ..r.Cj...v......
0030: 0B 4F 0D 0D 0D 0D 0D 0D 0D 0D 0D 0D 0D 0D 0D 0D .O..............
elasticsearch[ppjbies1][[transport_server_worker.default]][T#5], WRITE: TLSv1.2 Alert, length = 64
[Raw write]: length = 69
0000: 15 03 03 00 40 C8 D5 02 DC EA D8 9A DF E7 81 3F ....@..........?
0010: E8 73 76 5E 25 6E 14 C2 CE 78 48 E1 DC CE BB B9 .sv^%n...xH.....
0020: D6 96 2E 14 4B 89 80 67 D1 B3 6B 17 6D D3 07 32 ....K..g..k.m..2
0030: 45 A4 5C F7 EA 98 59 25 94 B0 03 BD 57 A1 FE 8E E.\...Y%....W...
0040: 0A BD 6D 57 66 ..mWf
  E3 ED B0 AE BC 1E 1A 49 .f]L.4.........I
0960: 92 47 61 AC 52 B6 F4 D9 62 CD 93 4F 40 4D 19 9B .Ga.R...b..O@M..
0970: AF 70 17 94 C0 90 28 82 6F 3C 30 48 22 75 5F 0C .p....(.o<0H"u_.
0980: 24 6B D9 37 E2 78 28 6D 53 2A 02 A5 D6 24 3D 79 k\.7\.x\(mS\*\.\.\.=y
0990: 42 39 A0 42 E8 5A 4D A4 6F 48 F0 19 19 CB B0 53 B9.B.ZM.oH.....S
09A0: 30 38 95 87 BD 9D B9 4A 67 7F E9 2D 34 8A 40 8A 08.....Jg..-4.@.
09B0: DD BE 97 63 48 FE 70 10 7B 05 CA 42 0A F8 ED 77 ...cH.p....B...w
09C0: C4 74 56 FA 1C E3 C5 66 06 6E 1A C6 1B DA 63 37 .tV....f.n....c7
09D0: 3E 41 AA FD 37 9D 00 AF 72 5F 08 E2 FB D9 DE A5 >A..7...r_......
09E0: 86 86 93 5F BD 14 70 3D 6F 88 E0 37 A6 CE F0 6B ..._..p=o..7...k
09F0: 5B 6F 82 5A 42 75 94 89 0A 47 CA C1 DE B0 94 B6 [o.ZBu...G......
0A00: 80 5A 64 5D 0E D8 3B DF 89 FE FE CC AE 4E 4C 55 .Zd]..;......NLU
0A10: 3E 5D 0D 00 00 F0 03 01 02 40 00 1A 06 03 06 01 >].......@......
0A20: 05 03 05 01 04 03 04 01 04 02 03 03 03 01 03 02 ................
0A30: 02 03 02 01 02 02 00 CE 00 7A 30 78 31 13 30 11 .........z0x1.0.
0A40: 06 0A 09 92 26 89 93 F2 2C 64 01 19 16 03 63 6F ....&...,d....co
0A50: 6D 31 18 30 16 06 0A 09 92 26 89 93 F2 2C 64 01 m1.0.....&...,d.
0A60: 19 16 08 69 6E 67 65 6E 69 63 6F 31 11 30 0F 06 ...ingenico1.0..
0A70: 03 55 04 0A 0C 08 49 6E 67 65 6E 69 63 6F 31 19 .U....Ingenico1.
0A80: 30 17 06 03 55 04 0B 0C 10 49 6E 67 65 6E 69 63 0...U....Ingenic
0A90: 6F 20 52 6F 6F 74 20 43 41 31 19 30 17 06 03 55 o Root CA1.0...U
0AA0: 04 03 0C 10 49 6E 67 65 6E 69 63 6F 20 52 6F 6F ....Ingenico Roo
0AB0: 74 20 43 41 00 50 30 4E 31 0B 30 09 06 03 55 04 t CA.P0N1.0...U.
0AC0: 06 13 02 46 52 31 0F 30 0D 06 03 55 04 07 13 06 ...FR1.0...U....
0AD0: 46 72 61 6E 63 65 31 11 30 0F 06 03 55 04 0A 13 France1.0...U...
0AE0: 08 49 6E 67 65 6E 69 63 6F 31 0C 30 0A 06 03 55 .Ingenico1.0...U
0AF0: 04 0B 13 03 41 50 4F 31 0D 30 0B 06 03 55 04 03 ....APO1.0...U..
0B00: 13 04 6A 69 72 61 0E 00 00 00 ..jira....
elasticsearch[ppjbies1][[transport_server_worker.default]][T#7], WRITE: TLSv1.2 Handshake, length = 2826
[Raw write]: length = 2831
0000: 16 03 03 0B 0A 02 00 00 4D 03 03 5A 18 1B F9 C5 ........M..Z....
0010: 14 F0 AB 83 9B EF 65 7D DF 07 F2 53 66 ED 4B 70 ......e....Sf.Kp
0020: B4 D5 48 19 8F 6E 4F B9 16 3D E5 20 5A 18 1B F9 ..H..nO..=. Z...
0030: 62 D1 DA 82 51 FB E9 2A 89 3B E6 DC 82 49 AA CD b...Q..*.;...I..
0040: 9C 7B 1C 73 A7 AD 12 34 00 A6 DB 0A C0 27 00 00 ...s...4.....'..
0050: 05 FF 01 00 01 00 0B 00 08 70 00 08 6D 00 04 8C elasticsearch[ppjbies1][[transport_server_worker.default]][T#5], called closeOutbound()
elasticsearch[ppjbies1][[transport_server_worker.default]][T#5], closeOutboundInternal()
elasticsearch[ppjbies1][[transport_server_worker.default]][T#5], SEND TLSv1.2 ALERT: warning, description = close_notify
.........p..m...
0060: 30 82 04 88 30 82 03 70 A0 03 02 01 02 02 01 02 0...0..p........
0070: 30 0D 06 09 2A 86 48 86 F7 0D 01 01 0B 05 00 30 0...*.H........0
0080: 7E 31 13 30 11 06 0A 09 92 26 89 93 F2 2C 64 01 .1.0.....&...,d.
0090: 19 16 03 63 6F 6D 31 18 30 16 06 0A 09 92 26 89 ...com1.0.....&.
00A0: 93 F2 2C 64 01 19 16 08 69 6E 67 65 6E 69 63 6F ..,d....ingenico
00B0: 31 11 30 0F 06 03 55 04 0A 0C 08 49 6E 67 65 6E 1.0...U....Ingen
00C0: 69 63 6F 31 1C 30 1A 06 03 55 04 0B 0C 13 49 6E ico1.0...U..Padded plaintext before ENCRYPTION: len = 64
..In
00D0: 67 65 6E 69 63 6F 20 53 69 67 6E 69 6E 67 20 43 0000 genico Signing C
00E0: 41 31 1C 30 1A 06 03 55 04 03 0C 13 49 6E 67 65 A1.0...U....Inge
00F0: 6E 69 63 6F 20 53 69 67 6E 69 6E 67 20 43 41: 08 46 54 32 6E 92 38 A0 00 45 D2 15 0C 13 B8 70 .FT2n.8..E.....p
0010: 01 00 04 AF 30 nico Signing CA0
2A EB EB 64 BE BC 1F EF 66 18 B2 9C ....*..d....f...0100
0020: DB 75 7F 70 91 75 96 13 : 1E 17 0D 31 37 31 31 32 32 31 36 31 39 35 31 5A 76 38 65 04 F3 B4 F5 43 .u.p.u..v8e....C
0030: BE 4D 0D 0D 0D 0D 0D 0D 0D 0D 0D 0D 0D 0D 0D 0D .M..............
...171122161951Z
0110: 17 0D 31 39 31 31 32 32 31 36 31 39 35 31 5A 30 ..191122161951Z0
0120: 68 31 0Belasticsearch[ppjbies1][[transport_server_worker.default]][T#5], WRITE: TLSv1.2 Alert, length = 64
30 09 06 03 55 04 06 13 02 46 52 31 0F h1.0...U....FR1.
0130: 30 0D 06 03 55 04 07 13 06 46 72 61 6E 63 65 31 0[Raw write]: length = 69
...U....France10000
0140: 11 30 0F 06 03 55 04 0A 13 08 49 6E 67 65 6E 69 .0...U....Ingeni
0150: 63 6F 31 0C 30 0A 06 03 55 04 0B 13 03 41 50 4F co1.0...U....APO
0160: 31 27 30 25 06 03 55 04 03 13 1E 70 70 6A 62 69 1'0%..U....ppjbi
0170: 65 73 31 2E 73 65 72 76 69 63 65 73 2E 69 6E 67 es1.services.ing
0180: 65 6E 69 63 6F 2E 63 6F 6D 30 82 01 22 30 0D 06 enico.com0.."0..
0190: 09 2A 86 48 86 F7 0D 01 01 01 05 00 03 82 01 0F .*.H............
01A0: 00 30 82 01 0A 02 82 01 01 00 8F 1A 0B C4 67 3F .0............g?
01B0: BC 37 24 27 1F 3A 31 60 30 03 8A BE 26 FE 5E 38 .7$'.:1`0...&.^8
01C0: 94 5F A8 48 54 F6 BC 21 FB 23 13 E9 AF 96 0A 6A ._.HT..!.#.....j
01D0: A2 CE A2 40 03 7D 2B 5E 2F 59 03 6A AA A5 E5 8C ...@..+^/Y.j....
01E0: 21 0E 70 CC D4 9C 44 B9 1E 54 57 E1 F9 DC 7E AC !.p...D..TW.....
01F0: F0 3B 43 0F 5A B5 D4 55 89 24 9D 83 E3 3C C2 89 .;C.Z..U.\.\.\.&lt;\.\. 0200: 08 E3 54 55 2F 20 CD C8 03 DC 32 C6 FE 37 88 06 \.\.TU/ \.\.\.\.2\.\.7\.\. 0210: C4 DD B8 EC AB 2C F4 0C ED CF 9C 94 4C 1F 85 C8 \.\.\.\.\.,\.\.\.\.\.\.L\.\.\. 0220: FD 7E 1F 3E F0 6D 33 DB E3 06 A2 CB 87 09 DA 95 \.\.\.&gt;\.m3\.\.\.\.\.\.\.\.\. 0230: 3B BB EB 19 B8 C3 CC 50 0C E6 EA D4 63 B5 22 8F ;\.\.\.\.\.\.P\.\.\.\.c\.&quot;\. 0240: 26 4B 56 9B 50 3D E5 96 6A 57 8E 71 31 B6 21 DE &amp;KV\.P=\.\.jW\.q1\.\!\. 0250: 2B 4B 37 45 A6 5A A8 ED C3 8D E4 1D FF 76 0B CD \+K7E\.Z\.\.\.\.\.\.\.v\.\. 0260: 5E 79 C5 E5 55 13 01 AA 2B 59 43 C3 D0 A2 94 A6 ^y\.\.U\.\.\.\+YC\.\.\.\.\. 0270: 4F A6 F7 5F C8 35 04 8E E2 65 9F 27 4D 45 93 52 O\.\.\_\.5\.\.\.e\.&#39;ME\.R 0280: DF 22 A2 B8 B7 B1 BE 30 30 CC A0 4C 0E 04 32 F2 \.&quot;\.\.\.\.\.00\.\.L\.\.2\. 0290: 21 86 AA 54 44 A3 AB 65 A6 26 57 3E 92 7D 57 40 \!\.\.TD\.\.e\.&amp;W&gt;\.\.W@ 02A0: B3 55 4A 68 F7 17 66 56 4B 61 02 03 01 00 01 A3 \.UJh\.\.fVKa\.\.\.\.\.\. 02B0: 82 01 25 30 82 01 21 30 0E 06 03 55 1D 0F 01 01 \.\.%0\.\.\!0\.\.\.U\.\.\.\. 02C0: FF 04 04 03 02 05 A0 30 09 06 03 55 1D 13 04 02 \.\.\.\.\.\.\.0\.\.\.U\.\.\.\. 02D0: 30 00 30 1D 06 03 55 1D 25 04 16 30 14 06 08 2B 0\.0\.\.\.U\.%\.\.0\.\.\.\+ 02E0: 06 01 05 05 07 03 01 06 08 2B 06 01 05 05 07 03 \.\.\.\.\.\.\.\.\.\+\.\.\.\.\.\. 02F0: 02 30 1D 06 03 55 1D 0E 04 16 04 14 77 B4 4D 46 \.0\.\.\.U\.\.\.\.\.\.w\.MF 0300: B5 92 47 48 17 91 6F 23 5F 46 61 56 7C 0C C1 C8 \.\.GH\.\.o\#\_FaV\.\.\.\. 0310: 30 1F 06 03 55 1D 23 04 18 30 16 80 14 93 58 51 0\.\.\.U\.\#\.\.0\.\.\.\.XQ 0320: F7 1A 12 15 21 9D 13 F8 90 18 22 47 5A BD 9E 2B \.\.\.\.\!\.\.\.\.\.&quot;GZ\.\.\+ 0330: 70 30 62 06 03 55 1D 1F 04 5B 30 59 30 57 A0 55 p0b\.\.U\.\.\.\[0Y0W\.U 0340: A0 53 86 51 68 74 74 70 73 3A 2F 2F 72 61 77 2E \.S\.Qhttps://raw\. 0350: 67 69 74 68 75 62 75 73 65 72 63 6F 6E 74 65 6E githubuserconten 0360: 74 2E 63 6F 6D 2F 66 6C 6F 72 61 67 75 6E 6E 63 t\.com/floragunnc 0370: 6F 6D 2F 75 6E 69 74 74 65 73 74 2D 61 73 73 65 om/unittest\-asse 0380: 74 73 2F 6D 61 73 74 65 72 2F 72 65 76 6F 6B 65 ts/master/revoke 0390: 64 2E 63 72 6C 30 41 06 03 55 1D 11 04 3A 30 38 d\.crl0A\.\.U\.\.\.:08 03A0: 82 1E 70 70 6A 62 69 65 73 31 2E 73 65 72 76 69 \.\.ppjbies1\.servi 03B0: 63 65 73 2E 69 6E 67 65 6E 69 63 6F 2E 63 6F 6D ces\.ingenico\.com 03C0: 82 09 6C 6F 63 61 6C 68 6F 73 74 87 04 AC 15 16 \.\.localhost\.\.\.\.\. 03D0: 26 88 05 2A 03 04 05 05 30 0D 06 09 2A 86 48 86 &amp;\.\.\*\.\.\.\.0\.\.\.\*\.H\. 03E0: F7 0D 01 01 0B 05 00 03 82 01 01 00 89 17 4E 12 \.\.\.\.\.\.\.\.\.\.\.\.\.\.N\. 03F0: 56 7F 43 5D 3C CE D9 F1 96 A5 68 ED 3E 1A E1 31 V\.C\]&lt;\.\.\.\.\.h\.&gt;\.\.1 0400: 76 A7 5D 97 E8 52 77 DA 3D F4 39 07 EB 2B 19 5E v\.\]\.\.Rw\.=\.9\.\.\+\.^ 0410: 78 32 B6 0D 02 79 C4 00 C1 79 A4 02 84 B8 6D B8 x2\.\.\.y\.\.\.y\.\.\.\.m\. 0420: 6E CC 04 53 A4 D5 5E 80 20 D5 CC 37 39 A0 C2 47 n\.\.S\.\.^\. \.\.79\.\.G 0430: 29 5A 4A 08 28 5B CD 7E 26 11 2E 30 43 16 64 36 \)ZJ\.\(\[\.\.&amp;\.\.0C\.d6 0440: 69 42 8A E1 E2 0C 4D BC 4E 63 57 06 82 C8 55 CA iB\.\.\.\.M\.NcW\.\.\.U\. 0450: B1 85 57 CF D7 C0 1C 43 55 F3 72 B6 29 C4 4A 64 \.\.W\.\.\.\.CU\.r\.\)\.Jd 0460: 88 4B 7F 25 A1 59 E9: 15 03 03 00 40 B1 AA 4D 6D 9B 8D 1C 14 D9 AC 10 FB A9 B2 B5 1D 73 70 30 CA \.K\.%\.Y\.\.\.\.\.\.sp0\. 0470: 33 D7 F3 0F B1 3D 0C 71 F6 BA BA 22 EF F8 7C DE \.\.\.\.@\. 3\.\.\.\.=\.q\.\.\.&quot;\.\.\.\. 0480: F0 31 41 A9 76 8E 05 3D 03 12 3F AA E2 17 F5 5F \.1A\.v\.\.=\.\.?\.\.\.\.\_ 0490: FA 4D EE 80 89 8C 6F 27 24 A6 B2 0F 00 36 07 2F \.M\.\.\.\.o&#39;....6./
04A0: BA 62 B3 1A 0F 93 5D 81 72 3B AB 42 A9 A4 81 B9 .b....].r;.B....
04B0: F0 EF 67 57 CD EA C1 BE BF CB 20 DE E5 11 F3 35 .Mm....... ..gW...... ....5
04C0: 62 58 F4 08 E1 BC D6 B2 A6 DC 93 45 9F 79 6E DC bX.........E.yn.
04D0: F0 1B A8 CA 44 F6 86 0E DA 38 0D E1 B1 76 BB 47 ....D....8...v.G
04E0: 0A 49 DA CF F2 E4 6E 8F E1 37 9C F8 00 03 DB 30 .I....n..7.....0
04F0: 82 03 D7 30 82 02 BF A0 03 02 01 02 02 01 02 30 ...0...........0
0500: 0D 06 09 2A 86 48 86 F7 0D 01 01 0B 05 00 30 78 ...*.H........0x
0510: 31 13 30 11 06 0A 09 92 26 89 93 F2 2C 64 01 19 1.0.....&...,d..
0520: 16 03 63 6F 6D 31 18 30
0010: 9C 5B D1 AE 70 0A 61 FC 16 06 0A 09 92 26 89 93 ..com1.0.....&..
0530: F2 2C 64 01 19 16 08 69 6E 67 65 6E 69 63 6F 31 .,d....ingenico1
  C3 04 F3 ED C8 92 0C 0E .[..p.a.........
0020: FB C0 34 7B FE A6 98 AC 68 77 AD 6B 91 0F 08 7D ..4.....hw.k....
0030: 6A 1F EC E3 8A 30 CB E6 3F BC FB E7 4B 7D 57 FD j....0..?...K.W.
0040: B2 3B 16 B4 3A .;..:
0540: 11 30 0F 06 03 55 04 0A 0C 08 49 6E 67 65 6E 69 .0...U....Ingeni
0550: 63 6F 31 19 30 17 06 03 55 04 0B 0C 10 49 6E 67 co1.0...U....Ing
0560: 65 6E 69 63 6F 20 52 6F 6F 74 20 43 41 31 19 30 enico Root CA1.0
0570: 17 06 03 55 04 03 0C 10 49 6E 67 65 6E 69 63 6F ...U....Ingenico
0580: 20 52 6F 6F 74 20 43 41 30 1E 17 0D 31 37 31 31 Root CA0...1711
0590: 32 32 31 36 31 39 34 38 5A 17 0D 32 37 31 31 32 22161948Z..27112
05A0: 32 31 36 31 39 34 38 5A 30 7E 31 13 30 11 06 0A 2161948Z0.1.0...
05B0: 09 92 26 89 93 F2 2C 64 01 19 16 03 63 6F 6D 31 ..&...,d....com1
05C0: 18 30 16 06 0A 09 92 26 89 93 F2 2C 64 01 19 16 .0.....&...,d...
05D0: 08 69 6E 67 65 6E 69 63 6F 31 11 30 0F 06 03 55 .ingenico1.0...U
05E0: 04 0A 0C 08 49 6E 67 65 6E 69 63 6F 31 1C 30 1A ....Ingenico1.0.
05F0: 06 03 55 04 0B 0C 13 49 6E 67 65 6E 69 63 6F 20 ..U....Ingenico
0600: 53 69 67 6E 69 6E 67 20 43 41 31 1C 30 1A 06 03 Signing CA1.0...
0610: 55 04 03 0C 13 49 6E 67 65 6E 69 63 6F 20 53 69 U....Ingenico Si
0620: 67 6E 69 6E 67 20 43 41 30 82 01 22 30 0D 06 09 gning CA0.."0...
0630: 2A 86 48 86 F7 0D 01 01 01 05 00 03 82 01 0F 00 *.H.............
0640: 30 82 01 0A 02 82 01 01 00 C9 38 24 AC 9F 51 53 0.........8$..QS
0650: FE 46 D0 06 97 2A 68 55 68 F4 26 3A 0F 27 0E 6E .F...*hUh.&:.'.n
0660: CB 2B CB D7 6D 7F D2 37 6B F8 6D 34 EA A9 BE 53 .+..m..7k.m4...S
0670: 04 11 09 C1 42 FA 5D 5D 4A CA 48 25 C3 F7 6C 37 ....B.]]J.H%..l7
0680: 37 86 B0 70 22 3F BA F6 E9 D4 DA 2C DB 48 4F 48 7..p"?.....,.HOH
0690: F0 9A CF AA 60 11 6D 4E 40 35 86 9C 15 8A 1E 3D ....`.mN@5.....=
06A0: 25 CE B4 EF 10 4C C9 A6 82 47 3D AA 32 13 C3 9C %....L...G=.2...
06B0: 9A C8 29 BE 70 9F 20 B9 4B C9 26 01 CC DE 68 86 ..).p. .K.&...h.
06C0: C1 87 D5 62 3D FD 9F 8D FE A7 09 F4 9E 0B A9 46 ...b=..........F
elasticsearch[ppjbies1][[transport_server_worker.default]][T#5], called closeOutbound()
elasticsearch[ppjbies1][[transport_server_worker.default]][T#5], closeOutboundInternal()
06D0: 31 E7 D8 E6 DA 97 5F 10 75 66 EA D6 AE 05 39 C6 1....._.uf....9.
06E0: FD 4A 78 44 58 7D F9 00 4A D7 2B 74 1B 3C 3E 06 .JxDX...J.+t.<>.
06F0: 34 A9 6C 80 78 84 74 E4 B5 14 5A 2A CA 02 46 65 4.l.x.t...Z*..Fe
0700: C1 26 90 63 05 5C 71 29 FE 29 2C 0D F3 73 2E 46 .&.c.\q).),..s.F
0710: 8D AA 4A 3B 1D 1F 8D 0C AE D1 97 83 C3 F6 2E 49 ..J;...........I
0720: 08 2F 91 0B 5A AF A9 A5 A9 7D CE 3D 4D 4B A9 4A ./..Z......=MK.J
0730: C9 26 71 4C 3C 9C 5E A7 5C 25elasticsearch[ppjbies1][[transport_server_worker.default]][T#5], SEND TLSv1.2 ALERT: warning, description = close_notify
CB FA 7D 11 53 E7 .&qL<.^.\%....S.
elasticsearch[ppjbies1][[transport_server_worker.default]][T#5], WRITE: TLSv1.2 Alert, length = 2
0740: F7 4E AA 79 DC 78 1E CD 9B 02 03 01 00 01 A3 66 .N.y.x.........f
0750: 30 64 30 0E 06 03 55 1D 0F 01 01 FF 04 04 03 02 0d0...U.........
0760: 01 06 30 12 06 03 55 1D 13 01 01 FF 04 08 30 06 ..0...U.......0.
0770: 01 01 FF 02 01 00 30 1D 06 03 55 1D 0E 04 16 04 ......0...U.....
0780: 14 93 58 51 F7 1A 12 15 [Raw write]: length = 7
  21 9D 13 F8 90 18 22 47 ..XQ....!....."G
0790: 5A BD 9E 2B 70 30 1F 06 03 55 1D 23 04 18 30 16 Z..+p0...U.#..0.
07A0: 80 14 0E 89 24 A6 59 CB F2 62 5B FA BA 41 24 3C ....\.Y\.\.b\[\.\.A<
07B0: AF 81 23 11 31 8B 30 0D 06 09 2A 86 48 86 F7 0D ..#.1.0...*.H...
07C0: 01 01 0B 05 00 03 82 01 01 00 02 32 49 FB 25 7C ...........2I.%.
07D0: 47 CC 17 38 5B 00 F8 D6 5E D7 2F FA E6 BC 4B 81 G..8[...^./...K.
07E0: B7 1A 91 8F 38 AD DA 5B 54 DF 13 DB 56 9B 51 CC ....8..[T...V.Q.
07F0: 0A C8 F4 07 EF 53 95 94 DD 98 9F EB A2 FE 09 7D .....S..........
0800: E5 23 F6 B5 B5 B2 0D 59 71 66 B1 64 A5 3A 59 C9 .#.....Yqf.d.:Y.
08100: 44 7F 01 B7 AE 5E F3 E1 79 08 24 BB C9 CA AC 5F D....^..y.$...._
0820: BD B4 D5 76 36 3D CA 07 0E 39 02 8D 23 84 FA 80 ...v6=...9..#...
0830: 2C A5 74 2D B2 36 DF CA E5 F9 8C 90 C1 CD 7F 3A ,.t-.6.........:
0840: 0D 85 54 D9 E9 77 93 D6 E8 D4 41 F1 A9 93 6B 03 ..T..w....A...k.
0850: E5 C0 91 3B 3C 9C 4C B6 21 ED 2D C7 20 9A D4 CC ...;<.L.!000.-. ...
0860: 22 23 01 6D 96 B4 3C 8F 78 25 7E ED 4A DA 14 BC "#.m..<.x%..J...
0870: 9C 7D 4C BF 94 60 82 BB BC 53 AC 00 2B 50 45 74 ..L..`...S..+PEt
0880: F2 71 4D BF 7F B9 CF 96 27 CC D2 27 E2 37 CE 84 .qM.....'..'.7..
0890: 0D 7F F2 3E E6 06 63 5A E6 71 1F 08 14 B4 C4 A4 ...>..cZ.q......
08A0: E0 F0 9E CB AA 10 FF BA 63 95 96 BD 13 25 5B 3D ........c....%[=
08B0: D5 51 FF 76 00 3E 57 84 30 EC AC B3 7D 02 07 D2 .Q.v.>W.0.......
08C0: 93 5A 00 D4 B0 E9 97 86 9A 23 0C 00 01 49 03 00 .Z.......#...I..
08D0: 17 41 04 D1 27 7C DD CB DF EB D9 6F B1 9F E6 17 .A..'......o....
08E0: B9 0A 11 B3 65 99 2D 57 E6 7F 41 17 F5 E5 45 72 ....e.-W..A...Er
08F0: DE AA CE 7B 3C 91 D4 EB C8: 15 03 03 00 02 01 00 B6 79 56 ....... D0 DD 83 B1 ....<.....yV....
0900: 08 76 86 48 D0 3E 65 0F DF 55 3C 18 18 2F A1 2F .v.H.>e..U<.././
0910: B4 7F DF 06 01 01 00 7F FD 35 55 01 64 21 1A B1 .........5U.d!..
0920: C6 D6 D3 BF 79 F6 1F 6B CD EA 2F 95 A0 39 B2 14 ....y
..k../..9..
0930: 26 F2 AD 60 A8 27 42 08 0E 96 A3 FA 21 31 C8 00 &..`.'B.....!1..
0940: AC 54 0D 59 73 56 F1 B7 D8 67 9F CD 2F 04 69 86 .T.YsV...g../.i.
0950: 95 FB A1 D4 38 2E 66 5D 4C 90 34 02 9B E3 ED B0 ....8.f]L.4.....
0960: AE BC 1E 1A 49 92 47 61 AC 52 B6 F4 D9 62 CD 93 ....I.Ga.R...b..
0970: 4F 40 4D 19 9B AF 70 17 94 C0 90 28 82 6F 3C 30 O@M...p....(.o<0
0980: 48 22 75 5F 0C 24 6B D9 37 E2 78 28 6D 53 2A 02elasticsearch[ppjbies1][[transport_server_worker.default]][T#5], called closeOutbound()
  H"u_.k\.7\.x\(mS\*\. 0990: A5 D6 24 3D 79 42 39 A0 42 E8 5A 4D A4 6F 48 F0 \.\.=yB9.B.ZM.oH.
elasticsearch[ppjbies1][[transport_server_worker.default]][T#5], closeOutboundInternal()
09A0: 19 19 CB B0 53 30 38 95 87 BD 9D B9 4A 67 7F E9 ....S08.....Jg..
09B0: 2D 34 8A 40 8A DD BE 97 63 48 FE 70 10 7B 05 CA -4.@....cH.p....
09C0: 42 0A F8 ED 77 C4 74 56 FA 1C E3 C5 66 06 6E 1A elasticsearch[ppjbies1][[transport_server_worker.default]][T#5], called closeOutbound()
elasticsearch[ppjbies1][[transport_server_worker.default]][T#5], closeOutboundInternal()
B...w.tV....f.n.
09D0: C6 1B DA 63 37 3E 41 AA FD 37 9D 00 AF 72 5F 08 ...c7>A..7...r_.
09E0: E2 FB D9 DE A5elasticsearch[ppjbies1][[transport_server_worker.default]][T#5], called closeOutbound()
elasticsearch[ppjbies1][[transport_server_worker.default]][T#5], closeOutboundInternal()
86 86 93 5F BD 14 70 3D 6F 88 E0 ........_..p=o..
09F0: 37 A6 CE F0 6B 5B 6F 82 5A 42 75 94 89 0A 47 CA 7...k[o.ZBu...G.
0A00: C1 DE B0 94 B6 80 5A 64 5D 0E D8 3B DF 89 FE FE ......Zd]..;....
0A10: CC AE 4E 4C 55 3E 5D 0D 00 00 F0 03 01 02 40 00 ..NLU>].......@.
0A20: 1A 06 03 06 01 05 03 05 01 04 03 04 01 04 02 03 ................
0A30: 03 03 01 03 02 02 03 02 01 02 02 00 CE 00 7A 30 ..............z0
0A40: 78 31 13 30 11 06 0A 09 92 26 89 93 F2 2C 64 01 x1.0.....&...,d.
0A50: 19 16 03 63 6F 6D 31 18 30 16 06 0A 09 92 26 89 ...com1.0.....&.
0A60: 93 F2 2C 64 01 19 16 08 69 6E 67 65 6E 69 63 6F ..,d....ingenico
0A70: 31 11 30 0F 06 03 55 04 0A 0C 08 49 6E 67 65 6E 1.0...U....Ingen
0A80: 69 63 6F 31 19 30 17 06 03 55 04 0B 0C 10 49 6E ico1.0...U....In
0A90: 67 65 6E 69 63 6F 20 52 6F 6F 74 20 43 41 31 19 genico Root CA1.
0AA0: 30 17 06 03 55 04 03 0C 10 49 6E 67 65 6E 69 63 0...U....Ingenic
0AB0: 6F 20 52 6F 6F 74 20 43 41 00 50 30 4E 31 0B 30 o Root CA.P0N1.0
0AC0: 09 06 03 55 04 06 13 02 46 52 31 0F 30 0D 06 03 ...U....FR1.0...
0AD0: 55 04 07 13 06 46 72 61 6E 63 65 31 11 30 0F 06 U....France1.0..
0AE0: 03 55 04 0A 13 08 49 6E 67 65 6E 69 63 6F 31 0C .U....Ingenico1.
0AF0: 30 0A 06 03 55 04 0B 13 03 41 50 4F 31 0D 30 0B 0...U....APO1.0.
0B00: 06 03 55 04 03 13 04 6A 69 72 61 0E 00 00 00 ..U....jira....
elasticsearch[ppjbies1][[transport_server_worker.default]][T#7], called closeOutbound()
elasticsearch[ppjbies1][[transport_server_worker.default]][T#7], closeOutboundInternal()
elasticsearch[ppjbies1][[transport_server_worker.default]][T#7], SEND TLSv1.2 ALERT: warning, description = close_notify
elasticsearch[ppjbies1][[transport_server_worker.default]][T#7], WRITE: TLSv1.2 Alert, length = 2
elasticsearch[ppjbies1][[transport_server_worker.default]][T#7], called closeInbound()
elasticsearch[ppjbies1][[transport_server_worker.default]][T#7], fatal error: 80: Inbound closed before receiving peer's close_notify: possible truncation attack?
javax.net.ssl.SSLException: Inbound closed before receiving peer's close_notify: possible truncation attack?
%% Invalidated: [Session-40, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256]
elasticsearch[ppjbies1][[transport_server_worker.default]][T#7], SEND TLSv1.2 ALERT: fatal, description = internal_error
elasticsearch[ppjbies1][[transport_server_worker.default]][T#7], Exception sending alert: java.io.IOException: writer side was already closed.

On Friday, November 24, 2017 at 2:14:18 PM UTC+1, Search Guard wrote:
Make sure you execute ./gen_root_ca.sh only once. Certificates generatet not with the exactly same root CA are not trusted each other.
I suggest you delete every certificate/key/truststore etc and recreate all certs (but only once).

The scripts are known to work so i can only imagine you use certs signed by different root ca's because you run ./gen_root_ca.sh more than once.
Or use the TLS cert generator https://floragunn.com/tls-certificate-generator/

--
You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.
To post to this group, send email to search-guard@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/957a758e-5902-474a-8aea-7255b6f04820%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

I downloaded the certificates from your generator site and configured everything.
Still same error :

[2017-11-24T14:37:24,085][ERROR][c.f.s.s.t.SearchGuardSSLNettyTransport] [ppjbies1] SSL Problem Received fatal alert: certificate_unknown

javax.net.ssl.SSLException: Received fatal alert: certificate_unknown

``

Configured each node like this :

######## Start Search Guard Configuration ########

searchguard.ssl.transport.enabled: true

searchguard.ssl.transport.keystore_filepath: CN=jbies1-keystore.jks

searchguard.ssl.transport.keystore_password: *******

searchguard.ssl.transport.truststore_filepath: truststore.jks

searchguard.ssl.transport.truststore_password: *******

searchguard.ssl.transport.enforce_hostname_verification: false

searchguard.ssl.http.enabled: true

searchguard.ssl.http.keystore_filepath: CN=jbies1-keystore.jks

searchguard.ssl.http.keystore_password: *******

searchguard.ssl.http.truststore_filepath: truststore.jks

searchguard.ssl.http.truststore_password: *******

The setting below informs SearchGuard of all client certificates allowed to administrate SearhGuard.

searchguard.authcz.admin_dn:

  • CN=sgadmin

######## End Search Guard Configuration ########

``

···

On Friday, November 24, 2017 at 2:33:15 PM UTC+1, Search Guard wrote:

can you please try the original script and the tls cert generator and report back if they work?

maybe you have somewhere an old elasticsearch instance with incompatible certs running in your network?
Certs from the generator are proven to work, so it must be something on your side.

Use Oracle JDK 1.8 instead of OpenJDK may help (if you are on OpenJDK)

···

Am 24.11.2017 um 15:39 schrieb Frédéric Esnault <frederic.esnault@ovyka.com>:

I downloaded the certificates from your generator script and configured everything.
Still same error :

[2017-11-24T14:37:24,085][ERROR][c.f.s.s.t.SearchGuardSSLNettyTransport] [ppjbies1] SSL Problem Received fatal alert: certificate_unknown
javax.net.ssl.SSLException: Received fatal alert: certificate_unknown

Configured each node like this :
######## Start Search Guard Configuration ########
searchguard.ssl.transport.enabled: true
searchguard.ssl.transport.keystore_filepath: CN=jbies1-keystore.jks
searchguard.ssl.transport.keystore_password: *******
searchguard.ssl.transport.truststore_filepath: truststore.jks
searchguard.ssl.transport.truststore_password: *******
searchguard.ssl.transport.enforce_hostname_verification: false
searchguard.ssl.http.enabled: true
searchguard.ssl.http.keystore_filepath: CN=jbies1-keystore.jks
searchguard.ssl.http.keystore_password: *******
searchguard.ssl.http.truststore_filepath: truststore.jks
searchguard.ssl.http.truststore_password: *******
# The setting below informs SearchGuard of all client certificates allowed to administrate SearhGuard.
searchguard.authcz.admin_dn:
  - CN=sgadmin

######## End Search Guard Configuration ########

On Friday, November 24, 2017 at 2:33:15 PM UTC+1, Search Guard wrote:
can you please try the original script and the tls cert generator and report back if they work?

--
You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.
To post to this group, send email to search-guard@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/576af3e2-1d59-4c8c-b0d9-aff93f92b43a%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

And even if they were, they would not be using certificate, I’m only starting to secure them.

I’m indeed using Oracle JDK 8, not OpenJDK.

I’m sure your certificates work, I don’t see any reason why they would not. And I tested in my local dev cluster, everything went fine using certificates generated with your scripts;

I’d agree with you that it may come from my setup, but don’t know where to look now. In the nodes certificates I generated, I included the IP for each node, to make sure that would not interfere, but the result is the same with your generic certificates and mine.

The nodes are talking to each other, that seems ok.

The problem seems to be between the client application (a Java application using SearchGuard plugin in its Transport node. Maybe something is off there. It worked in my local test, but not now in a real cluster.

For information, each node has its own server, and the client application is on its own server too.

Here is the code for transport client creation :

Thread.currentThread().setContextClassLoader(Constants.class.getClassLoader());

Settings.Builder builder = Settings.builder()

.put(“client.transport.sniff”, false)

.put(“cluster.name”, clusterName)

.put(“path.conf”, “elasticsearch”);

if (searchGuardConfigDTO != null && searchGuardConfigDTO.isActive()) {

builder.put(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_KEYSTORE_FILEPATH, searchGuardConfigDTO.getKeyStorePath())

.put(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, searchGuardConfigDTO.getTrustStorePath())

.put(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_KEYSTORE_PASSWORD, searchGuardConfigDTO.getKeyStorePassword())

.put(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_TRUSTSTORE_PASSWORD, searchGuardConfigDTO.getTrustStorePassword())

.put(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_ENABLED, true);

}

Settings settings = builder.build();

if (searchGuardConfigDTO != null && searchGuardConfigDTO.isActive()) {

this.client = new PreBuiltTransportClient(settings, SearchGuardPlugin.class);

} else {

this.client = new PreBuiltTransportClient(settings);

}

for (ESNode node : nodes) {

try {

this.client.addTransportAddress(new InetSocketTransportAddress(InetAddress.getByName(node.getNodeIp()), node.getNodePort()));

} catch (UnknownHostException uhe) {

LOGGER.error(uhe.getMessage(), uhe);

}

}

``

···

On Friday, November 24, 2017 at 3:52:29 PM UTC+1, Search Guard wrote:

maybe you have somewhere an old elasticsearch instance with incompatible certs running in your network?

Certs from the generator are proven to work, so it must be something on your side.

Use Oracle JDK 1.8 instead of OpenJDK may help (if you are on OpenJDK)

look here how the transport client can be used


···

Am 24.11.2017 um 16:13 schrieb Frédéric Esnault <frederic.esnault@ovyka.com>:

And even if they were, they would not be using certificate, I'm only starting to secure them.

I'm indeed using Oracle JDK 8, not OpenJDK.

I'm sure your certificates work, I don't see any reason why they would not. And I tested in my local dev cluster, everything went fine using certificates generated with your scripts;

I'd agree with you that it may come from my setup, but don't know where to look now. In the nodes certificates I generated, I included the IP for each node, to make sure that would not interfere, but the result is the same with your generic certificates and mine.

The nodes are talking to each other, that seems ok.
The problem seems to be between the client application (a Java application using SearchGuard plugin in its Transport node. Maybe something is off there. It worked in my local test, but not now in a real cluster.

For information, each node has its own server, and the client application is on its own server too.

Here is the code for transport client creation :

Thread.currentThread().setContextClassLoader(Constants.class.getClassLoader());
Settings.Builder builder = Settings.builder()
        .put("client.transport.sniff", false)
        .put("cluster.name", clusterName)
        .put("path.conf", "elasticsearch");
if (searchGuardConfigDTO != null && searchGuardConfigDTO.isActive()) {
    builder.put(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_KEYSTORE_FILEPATH, searchGuardConfigDTO.getKeyStorePath())
            .put(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, searchGuardConfigDTO.getTrustStorePath())
            .put(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_KEYSTORE_PASSWORD, searchGuardConfigDTO.getKeyStorePassword())
            .put(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_TRUSTSTORE_PASSWORD, searchGuardConfigDTO.getTrustStorePassword())
            .put(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_ENABLED, true);
}
Settings settings = builder.build();
if (searchGuardConfigDTO != null && searchGuardConfigDTO.isActive()) {
    this.client = new PreBuiltTransportClient(settings, SearchGuardPlugin.class);
} else {
    this.client = new PreBuiltTransportClient(settings);
}
for (ESNode node : nodes) {
    try {
        this.client.addTransportAddress(new InetSocketTransportAddress(InetAddress.getByName(node.getNodeIp()), node.getNodePort()));
    } catch (UnknownHostException uhe) {
        LOGGER.error(uhe.getMessage(), uhe);
    }
}

On Friday, November 24, 2017 at 3:52:29 PM UTC+1, Search Guard wrote:
maybe you have somewhere an old elasticsearch instance with incompatible certs running in your network?
Certs from the generator are proven to work, so it must be something on your side.

Use Oracle JDK 1.8 instead of OpenJDK may help (if you are on OpenJDK)

--
You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.
To post to this group, send email to search-guard@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/6e301e83-7c45-4cc4-a914-a16cc9104da5%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Yep that seems similar to what i did, except you use more options.
But my transport client was working in my dev local cluster, anyway.

···

On Friday, November 24, 2017 at 4:25:52 PM UTC+1, Search Guard wrote:

look here how the transport client can be used

https://github.com/floragunncom/search-guard/blob/5.6.0/src/main/java/com/floragunn/searchguard/tools/SearchGuardAdmin.java

https://github.com/floragunncom/search-guard/blob/5.6.0/src/test/java/com/floragunn/searchguard/SGTests.java#L1240

Am 24.11.2017 um 16:13 schrieb Frédéric Esnault frederic...@ovyka.com:

And even if they were, they would not be using certificate, I’m only starting to secure them.

I’m indeed using Oracle JDK 8, not OpenJDK.

I’m sure your certificates work, I don’t see any reason why they would not. And I tested in my local dev cluster, everything went fine using certificates generated with your scripts;

I’d agree with you that it may come from my setup, but don’t know where to look now. In the nodes certificates I generated, I included the IP for each node, to make sure that would not interfere, but the result is the same with your generic certificates and mine.

The nodes are talking to each other, that seems ok.

The problem seems to be between the client application (a Java application using SearchGuard plugin in its Transport node. Maybe something is off there. It worked in my local test, but not now in a real cluster.

For information, each node has its own server, and the client application is on its own server too.

Here is the code for transport client creation :

Thread.currentThread().setContextClassLoader(Constants.class.getClassLoader());

Settings.Builder builder = Settings.builder()

    .put("client.transport.sniff", false)
    .put("[cluster.name](http://cluster.name)", clusterName)
    .put("path.conf", "elasticsearch");

if (searchGuardConfigDTO != null && searchGuardConfigDTO.isActive()) {

builder.put(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_KEYSTORE_FILEPATH, searchGuardConfigDTO.getKeyStorePath())
        .put(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, searchGuardConfigDTO.getTrustStorePath())
        .put(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_KEYSTORE_PASSWORD, searchGuardConfigDTO.getKeyStorePassword())
        .put(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_TRUSTSTORE_PASSWORD, searchGuardConfigDTO.getTrustStorePassword())
        .put(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_ENABLED, true);

}

Settings settings = builder.build();

if (searchGuardConfigDTO != null && searchGuardConfigDTO.isActive()) {

this.client = new PreBuiltTransportClient(settings, SearchGuardPlugin.class);

} else {

this.client = new PreBuiltTransportClient(settings);

}

for (ESNode node : nodes) {

try {
    this.client.addTransportAddress(new InetSocketTransportAddress(InetAddress.getByName(node.getNodeIp()), node.getNodePort()));
} catch (UnknownHostException uhe) {
    LOGGER.error(uhe.getMessage(), uhe);
}

}

On Friday, November 24, 2017 at 3:52:29 PM UTC+1, Search Guard wrote:

maybe you have somewhere an old elasticsearch instance with incompatible certs running in your network?
Certs from the generator are proven to work, so it must be something on your side.

Use Oracle JDK 1.8 instead of OpenJDK may help (if you are on OpenJDK)


You received this message because you are subscribed to the Google Groups “Search Guard Community Forum” group.

To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.

To post to this group, send email to search...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/6e301e83-7c45-4cc4-a914-a16cc9104da5%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

Hi again,

I just created a spring boot command line app, very simple, calling my ES cluster with SG plugin : Here is its code :

public void search(String ip, String clusterName, String index, String type, String ksPwd, String ksPth, String tsPwd, String tsPth) {

TransportClient client;

Settings.Builder builder = Settings.builder()

.put(“client.transport.sniff”, false)

.put(“cluster.name”, clusterName)

.put(“path.conf”, “elasticsearch”);

builder.put(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_KEYSTORE_FILEPATH, ksPth)

.put(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_KEYSTORE_PASSWORD, ksPwd)

.put(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, tsPth)

.put(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_TRUSTSTORE_PASSWORD, tsPwd)

.put(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_ENABLED, true);

Settings settings = builder.build();

client = new PreBuiltTransportClient(settings, SearchGuardPlugin.class);

try {

client.addTransportAddress(new InetSocketTransportAddress(InetAddress.getByName(ip), 9300));

} catch (UnknownHostException uhe) {

System.err.println("Error : " + uhe.getMessage());

uhe.printStackTrace();

}

SearchRequestBuilder searchRequestBuilder = client.prepareSearch(index).setTypes(type).setQuery(QueryBuilders.matchAllQuery());

SearchResponse searchResponse = searchRequestBuilder.execute().actionGet();

SearchHits hits = searchResponse.getHits();

System.out.println("Results : "+hits.getTotalHits());

}

``

I moved the resulting jar on the node server itself (local call), and called it, but got the same error : certificate_unknown.

Here is the calling line :

sgtest-1.0-SNAPSHOT.jar 172.21.22.38 pp-es-cluster ppjessbi apo_mapping ***** search-guard-certificates/client-certificates/CN=demouser-keystore.jks ***** search-guard-certificates/truststore.jks

``

Is there something you see that seems off ?

I am using your generated certificates, imported configuration using sgadmin.sh, and called the java client from the node itself, I really dont see what can be wrong here.

I’d need a little help on this one.

Is there another way to test the democlient certificate, or any other way to make this work ? Without this, I cannot use SG, and would have to revert to XPack, which is not free. And I had it working locally so where is my problem here ?

···

On Friday, November 24, 2017 at 4:25:52 PM UTC+1, Search Guard wrote:

look here how the transport client can be used

Got it !

Everything came from the fact that SG was trying to verify the client hostname vs its certificate, and it was not working.

I added two options in my client config and got it working (well almost, now I have this : Caused by: java.lang.Exception: no such user CN=demouser.

So the solution was just to add this to my java client code :

.put(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_ENFORCE_HOSTNAME_VERIFICATION, false)

.put(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_ENFORCE_HOSTNAME_VERIFICATION_RESOLVE_HOST_NAME, false)

``

Feeling better, and thanks for the pointer to your SGAdmin code, it’s where I saw the options that resolved the problem.