Hardening TLS cipher suites without doing a full-cluster restart

Elasticsearch version: 6.8.10

Server OS version: CentOS 7

Kibana version (if relevant): 6.8.10

Browser version (if relevant):

Browser OS version (if relevant):

Describe the issue:

After selecting certain ciphers ( searchguard.ssl.http.enabled_ciphers) and restarting elasticsearch, elasticsearch complains about the following same issues as in this thread (Searchguard cipher suite issue). This is obviously becuase the other clients or Kibana is communicating with another set of ciphers. However, i was wondering if it is possible to harden the ciphers that our stack can use without having to shutdown my whole cluster and then starting it back up again after allowing the same set of ciphers on all of our elasticsearch nodes?

What happened is the following:

  1. I shutdown a certain elasticsearch node
  2. I changed the elasticsearch.yml to whitelist certain ciphers with the searchguard.ssl.http.enabled_ciphers option.
  3. I restart elasticsearch on the same node again
  4. I get errors complaining about the ciphers, same as in Searchguard cipher suite issue

I hope you understand my question/issue.

What ciphers are you using right now, and which ones are you going to use?

If these sets don’t overlap (i.e., have an empty intersection), it might be worth the try to do the configuration change via an intermediate config state, where you introduce the new ciphers but don’t disable the old ones, yet. Then, nodes with the old config should be still able to communicate with nodes with the new config. After all nodes are running with this intermediate config, you could disable the old ciphers.


This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.