curl: (35) SSL connect error with Searchguard

Search Guard
#1

Hi All
I see bellow error while trying to access searchguard

[root@LOG-COLLECTOR tools]# curl -Sv --insecure -u admin:admin ‘https://localhost:9200/_searchguard/authinfo?pretty

  • About to connect() to localhost port 9200 (#0)
  • Trying 127.0.0.1… connected
  • Connected to localhost (127.0.0.1) port 9200 (#0)
  • Initializing NSS with certpath: sql:/etc/pki/nssdb
  • warning: ignoring value of ssl.verifyhost
  • NSS error -5938
  • Closing connection #0
  • SSL connect error
    curl: (35) SSL connect error

Could you please help me to resolve it. Below is configuration

  • Search Guard version: search-guard-5-5.1.2-12.zip

  • Elasticsearch version: 5.1.2

  • JVM version: 1.8

Thanks
Sankar

#2

From elasticsearch logs I found below error
[2017-08-21T09:55:07,815][WARN ][c.f.s.h.SearchGuardHttpServerTransport] [6tio6YL] caught exception while handling client http traffic, closing connection [id: 0x6e79c489, L:0.0.0.0/0.0.0.0:9200 ! R:/127.0.0.1:42639]
io.netty.handler.codec.DecoderException: javax.net.ssl.SSLHandshakeException: Client requested protocol TLSv1 not enabled or not supported
at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:442) ~[netty-codec-4.1.6.Final.jar:4.1.6.Final]
at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:248) ~[netty-codec-4.1.6.Final.jar:4.1.6.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:373) [netty-transport-4.1.6.Final.jar:4.1.6.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:359) [netty-transport-4.1.6.Final.jar:4.1.6.Final]
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:351) [netty-transport-4.1.6.Final.jar:4.1.6.Final]
at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1334) [netty-transport-4.1.6.Final.jar:4.1.6.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:373) [netty-transport-4.1.6.Final.jar:4.1.6.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:359) [netty-transport-4.1.6.Final.jar:4.1.6.Final]
at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:926) [netty-transport-4.1.6.Final.jar:4.1.6.Final]
at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:129) [netty-transport-4.1.6.Final.jar:4.1.6.Final]
at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:651) [netty-transport-4.1.6.Final.jar:4.1.6.Final]
at io.netty.channel.nio.NioEventLoop.processSelectedKeysPlain(NioEventLoop.java:536) [netty-transport-4.1.6.Final.jar:4.1.6.Final]
at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:490) [netty-transport-4.1.6.Final.jar:4.1.6.Final]
at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:450) [netty-transport-4.1.6.Final.jar:4.1.6.Final]
at io.netty.util.concurrent.SingleThreadEventExecutor$5.run(SingleThreadEventExecutor.java:873) [netty-common-4.1.6.Final.jar:4.1.6.Final]
at java.lang.Thread.run(Thread.java:745) [?:1.8.0-jdk8u132-b00]
Caused by: javax.net.ssl.SSLHandshakeException: Client requested protocol TLSv1 not enabled or not supported
at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1431) ~[?:?]
at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:535) ~[?:?]
at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:813) ~[?:?]
at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:781) ~[?:?]
at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624) ~[?:1.8.0-jdk8u132-b00]
at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1097) ~[?:?]
at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:968) ~[?:?]
at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:902) ~[?:?]
at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:411) ~[?:?]
… 15 more
Caused by: javax.net.ssl.SSLHandshakeException: Client requested protocol TLSv1 not enabled or not supported
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) ~[?:?]
at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1666) ~[?:?]
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:304) ~[?:?]
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:292) ~[?:?]
at sun.security.ssl.ServerHandshaker.clientHello(ServerHandshaker.java:517) ~[?:?]

Thanks
Sankar

···

On Monday, 21 August 2017 14:29:43 UTC+5:30, sankar dunga wrote:

Hi All
I see bellow error while trying to access searchguard

[root@LOG-COLLECTOR tools]# curl -Sv --insecure -u admin:admin ‘https://localhost:9200/_searchguard/authinfo?pretty

  • About to connect() to localhost port 9200 (#0)
  • Trying 127.0.0.1… connected
  • Connected to localhost (127.0.0.1) port 9200 (#0)
  • Initializing NSS with certpath: sql:/etc/pki/nssdb
  • warning: ignoring value of ssl.verifyhost
  • NSS error -5938
  • Closing connection #0
  • SSL connect error
    curl: (35) SSL connect error

Could you please help me to resolve it. Below is configuration

  • Search Guard version: search-guard-5-5.1.2-12.zip
  • Elasticsearch version: 5.1.2
  • JVM version: 1.8

Thanks
Sankar

#3

Hi:
Have you resolved this problem?I have the same problem.

···

On Monday, August 21, 2017 at 4:59:43 PM UTC+8, sankar dunga wrote:

Hi All
I see bellow error while trying to access searchguard

[root@LOG-COLLECTOR tools]# curl -Sv --insecure -u admin:admin ‘https://localhost:9200/_searchguard/authinfo?pretty

  • About to connect() to localhost port 9200 (#0)
  • Trying 127.0.0.1… connected
  • Connected to localhost (127.0.0.1) port 9200 (#0)
  • Initializing NSS with certpath: sql:/etc/pki/nssdb
  • warning: ignoring value of ssl.verifyhost
  • NSS error -5938
  • Closing connection #0
  • SSL connect error
    curl: (35) SSL connect error

Could you please help me to resolve it. Below is configuration

  • Search Guard version: search-guard-5-5.1.2-12.zip
  • Elasticsearch version: 5.1.2
  • JVM version: 1.8

Thanks
Sankar

#4

As you can see from the exception, the outdated and insecure TLSv1 protocol is not enabled. That’s the default setting in Search Guard.

The documentation explains how to re-enable it:

···

On Wednesday, September 13, 2017 at 3:45:44 AM UTC+2, shi yutao wrote:

Hi:
Have you resolved this problem?I have the same problem.

On Monday, August 21, 2017 at 4:59:43 PM UTC+8, sankar dunga wrote:

Hi All
I see bellow error while trying to access searchguard

[root@LOG-COLLECTOR tools]# curl -Sv --insecure -u admin:admin ‘https://localhost:9200/_searchguard/authinfo?pretty

  • About to connect() to localhost port 9200 (#0)
  • Trying 127.0.0.1… connected
  • Connected to localhost (127.0.0.1) port 9200 (#0)
  • Initializing NSS with certpath: sql:/etc/pki/nssdb
  • warning: ignoring value of ssl.verifyhost
  • NSS error -5938
  • Closing connection #0
  • SSL connect error
    curl: (35) SSL connect error

Could you please help me to resolve it. Below is configuration

  • Search Guard version: search-guard-5-5.1.2-12.zip
  • Elasticsearch version: 5.1.2
  • JVM version: 1.8

Thanks
Sankar

#5

Yes, I saw this error while using http port.
Use https port to resolve. In case of curl we have to upgrade to latest curl version.

Thanks
Sankar

···

On Wednesday, 13 September 2017 07:15:44 UTC+5:30, shi yutao wrote:

Hi:
Have you resolved this problem?I have the same problem.

On Monday, August 21, 2017 at 4:59:43 PM UTC+8, sankar dunga wrote:

Hi All
I see bellow error while trying to access searchguard

[root@LOG-COLLECTOR tools]# curl -Sv --insecure -u admin:admin ‘https://localhost:9200/_searchguard/authinfo?pretty

  • About to connect() to localhost port 9200 (#0)
  • Trying 127.0.0.1… connected
  • Connected to localhost (127.0.0.1) port 9200 (#0)
  • Initializing NSS with certpath: sql:/etc/pki/nssdb
  • warning: ignoring value of ssl.verifyhost
  • NSS error -5938
  • Closing connection #0
  • SSL connect error
    curl: (35) SSL connect error

Could you please help me to resolve it. Below is configuration

  • Search Guard version: search-guard-5-5.1.2-12.zip
  • Elasticsearch version: 5.1.2
  • JVM version: 1.8

Thanks
Sankar