Enabled_ciphers setting is not working as expected

Elasticsearch version: 7.7.1

Server OS version: Windows 10

Provide configuration:

action.auto_create_index: false
searchguard.ssl_only: true
searchguard.ssl.http.enabled_protocols: [“TLSv1.2”, “TLSv1.1”]
searchguard.ssl.transport.enabled_protocols: [“TLSv1.2”, “TLSv1.1”]
searchguard.ssl.http.enabled_ciphers: [“TLS_RSA_WITH_AES_128_CBC_SHA”]
searchguard.ssl.transport.enabled_ciphers: [“TLS_RSA_WITH_AES_128_CBC_SHA”]
cluster.name: <cluster.name>
node.name: <node.name>
searchguard.ssl.transport.enabled: true
searchguard.ssl.transport.enforce_hostname_verification: false
searchguard.ssl.http.enabled: true
searchguard.ssl.http.clientauth_mode: OPTIONAL
searchguard.ssl.transport.pemtrustedcas_filepath: <root.crt>
searchguard.ssl.http.pemtrustedcas_filepath: <root.crt>
searchguard.ssl.transport.pemkey_filepath: <client.key>
searchguard.ssl.transport.pemcert_filepath: <client.cert>
searchguard.ssl.http.pemkey_filepath: <client.key>
searchguard.ssl.http.pemcert_filepath: <client.cert>
cluster.initial_master_nodes: ["<node.name>"]
discovery.zen.ping.unicast.hosts: ["<node.name>"]

Describe the issue:
Based on my above configuration of yml file, I tried to enable only a specific cipher-suit that belongs to the Enabled TSL protocol version, but still, it’s complaining about the TLS version which I have not enabled.

Steps to reproduce:

  1. Enable the Protocols and Cipher as mentioned above.
  2. Restart the service
  3. Send a request from the postman. Make sure there are no Protocols disabled during the handshake and for the cipher suite selection just mention the one which has been enabled in yml file.
  4. Check the elasticsearch log,

[WARN ][o.e.h.AbstractHttpServerTransport] [cad206.corp.soti.net] caught exception while handling client http traffic, closing connection Netty4HttpChannel{localAddress=, remoteAddress=null}
io.netty.handler.codec.DecoderException: javax.net.ssl.SSLHandshakeException: The client supported protocol versions [TLSv1.3] are not accepted by server preferences [TLS12, TLS11]

Caused by: javax.net.ssl.SSLHandshakeException: The client supported protocol versions [TLSv1.3] are not accepted by server preferences [TLS12, TLS11]

Expected behaviour:
If cipher suit belongs to the enabled protocols, then there should not be such a warning/error. I should see the proper response.

Additional data:
I have validated the mapping of cipher suit and protocols at Microsoft’s site.

Let me know If I am missing anything or if you need more details.

Hi @chintushah46

The reported error could be result of your postman settings. Maybe you’ve kept the TLS settings when you were testing TLSv1.3 reported in the other case.

I’ve tested your settings and all worked from postman side.

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.