Elasticsearch version: 7.7.1
Server OS version: Windows 10
Provide configuration:
elasticsearch/config/elasticsearch.yml
network.host: 0.0.0.0
action.auto_create_index: false
searchguard.ssl_only: true
searchguard.ssl.http.enabled_protocols: [“TLSv1.2”, “TLSv1.1”]
searchguard.ssl.transport.enabled_protocols: [“TLSv1.2”, “TLSv1.1”]
searchguard.ssl.http.enabled_ciphers: [“TLS_RSA_WITH_AES_128_CBC_SHA”]
searchguard.ssl.transport.enabled_ciphers: [“TLS_RSA_WITH_AES_128_CBC_SHA”]
cluster.name: <cluster.name>
node.name: <node.name>
searchguard.ssl.transport.enabled: true
searchguard.ssl.transport.enforce_hostname_verification: false
searchguard.ssl.http.enabled: true
searchguard.ssl.http.clientauth_mode: OPTIONAL
searchguard.ssl.transport.pemtrustedcas_filepath: <root.crt>
searchguard.ssl.http.pemtrustedcas_filepath: <root.crt>
searchguard.ssl.transport.pemkey_filepath: <client.key>
searchguard.ssl.transport.pemcert_filepath: <client.cert>
searchguard.ssl.http.pemkey_filepath: <client.key>
searchguard.ssl.http.pemcert_filepath: <client.cert>
cluster.initial_master_nodes: [“<node.name>”]
discovery.zen.ping.unicast.hosts: [“<node.name>”]
path.logs:
Describe the issue:
Based on my above configuration of yml file, I tried to enable only a specific cipher-suit that belongs to the Enabled TSL protocol version, but still, it’s complaining about the TLS version which I have not enabled.
Steps to reproduce:
- Enable the Protocols and Cipher as mentioned above.
- Restart the service
- Send a request from the postman. Make sure there are no Protocols disabled during the handshake and for the cipher suite selection just mention the one which has been enabled in yml file.
- Check the elasticsearch log,
[WARN ][o.e.h.AbstractHttpServerTransport] [cad206.corp.soti.net] caught exception while handling client http traffic, closing connection Netty4HttpChannel{localAddress=0.0.0.0/0.0.0.0:9200, remoteAddress=null}
io.netty.handler.codec.DecoderException: javax.net.ssl.SSLHandshakeException: The client supported protocol versions [TLSv1.3] are not accepted by server preferences [TLS12, TLS11]
…
…
Caused by: javax.net.ssl.SSLHandshakeException: The client supported protocol versions [TLSv1.3] are not accepted by server preferences [TLS12, TLS11]
Expected behaviour:
If cipher suit belongs to the enabled protocols, then there should not be such a warning/error. I should see the proper response.
Additional data:
I have validated the mapping of cipher suit and protocols at Microsoft’s site.
Let me know If I am missing anything or if you need more details.