According to this post Problem with OpenSSL netty_tcnative , for which I still did not find a solution after investing hours, I am questioning myself for what I need that.
What I want, as elasticsearch is only running on localhost and is not open to the world is just some form of authorization (user) against elasticsearch so the content cannot be read by everyone on the machine.
But it seems search-guard is not able to do this because TLS encrypted communication is mandatory for the install. Am I right with this assumption? Because tbh there is no need for a TLS communication if I communicate from localhost (graylog) to localhost (elastic) on the same node.
Are there any other solutions for this problem maybe.
Would appreciate any help, thanks!
For HTTP TLS is optional, for internode communication (transport protocol) it is mandatory.
But OpenSSL is totally optional - if there are problems (like in your case) we just fallback to use TLS implementation of the JVM. So you can just ignore that. If you are on Java 11 there are also no big performance gains anymore of using OpenSSL over JVM TLS. If you are on Java 8 and can not use OpenSSL you can adjust the cipher suites to use CBC mode instead of GCM to make things faster. See https://github.com/floragunncom/search-guard/issues/310#issuecomment-372145935
Thanks for your reply, yes I understand that it is mandatory for node communication in a case where the nodes are on different machines, because this is the only thing that makes sense. But there is no real internode communication in this case as it is on the same machine.
Anyway as said in the other thread I will give the netty debug a try and then get back to you.
But to get back on that topic here, a possibility to just use user authentication against Elastic without the hassle to have to use TLS (because for local installs this is unneeded work setting up, it just complicates things) would be a great benefit
See https://search-guard.com/search-guard-ssl-tls/ and we have no plans to change it. But Search Guard is an open source project and maybe you just like to fork it and adapt it to your needs.
Ok thanks for getting back to me on this. So will go through TLS setup anyways then (I will script it) and try now to get OpenSSL working with netty debug of the static lib, thanks
This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.