Query on searchguard without tls


I am using elasticsearch & kibana oss distributions with searchguard plugins (ELK 7.0.1).

Within the cluster when kibana talks to elasticsearch, we do not want tls,
Is there a way to disable node-to-node encryption and TLS while still having authentication for elasticsearch?
If yes, could you please help me with the required configurations for this?

Thanks & Regards,


no, TLS on the transport layer is one of the main building blocks regarding the Search Guard security architecture and thus cannot be disabled. Disabling inter-node TLS would open the Elasticsearch cluster to all sorts of attack scenarios.

It would be really helpful for us to understand what your concerns are regarding inter-node TLS. Why don’t you want to enable it for your use case?

Hi jkressin,
I have the same problem with shivani.aggarwal2195, while using tls, happens to get a problem of ‘javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure’, that will cause to loss nodes, then the cluster will be unstable, that’s a bug or other problems, we just want to use the base Auth, so, is any way to modify this problem, a similar error like ‘http://xwiz.cn/2018-05-09-java-ssl-ciphersuite’, expired to get your reply

In order to debug this, I would need to see your elasticsearch.yml configuration and the full stack trace from the Elasticsearch log file.

If you have trouble setting up TLS, I highly recommend using our TLS offline tool. It provides an easy way to generate production-ready certificates that can be used with Search Guard:

the ES configuration is like below:
http.cors.allow-headers: “Authorization,X-Requested-With,- Content-Length,Content-Type”
xpack.security.enabled: false

xpack.ml.enabled: false
searchguard.ssl.transport.pemcert_filepath: tls_file/node.pem
searchguard.ssl.transport.pemkey_filepath: tls_file/node.key
searchguard.ssl.transport.pemkey_password: search-guard-pk

searchguard.ssl.transport.pemtrustedcas_filepath: tls_file/root-ca.pem
searchguard.ssl.transport.enforce_hostname_verification: false
searchguard.ssl.transport.resolve_hostname: false
searchguard.ssl.http.enabled: true

searchguard.ssl.http.pemcert_filepath: tls_file/node_http.pem
searchguard.ssl.http.pemkey_filepath: tls_file/node_http.key
searchguard.ssl.http.pemkey_password: search-guard-pk
searchguard.ssl.http.pemtrustedcas_filepath: tls_file/root-ca.pem


Thank you so much for your replies, we exactly to use the TLS offline tool to geneate certificates, and search-guard also has tooken effect, and cluster also run well, but this problem appears accidentally, may be once a day or once two days, the trace is like below:

Up to now, we have removed SG from our product cluster, so, is hard to get more info, any suggestions for us?

The elasticsearch version is 6.5.3,and the SG version is also 6.5.3.

So if you have used the TLS tool, and the cluster also runs fine, and the exception only happens every one or two days, I think it cannot be a general configuration problem. If it would be, you would see more exceptions, most probably already on node startup.

My best guess at the moment is that this is due to network issues, probably latency or a timeout. See also here:

Do you see any load spikes on the machine(s) when this happens? Any network issues?

Yea, Some ‘ping Time_out’ exactly occurred at that time, but after removing SG, so far cluster has no problems, so we think that if TLS has some Potential problems, may be short time network issues will cause a serious problem, we will also study the suggests above,

thanks so much!