Query on searchguard without tls

Hi,

I am using elasticsearch & kibana oss distributions with searchguard plugins (ELK 7.0.1).

Within the cluster when kibana talks to elasticsearch, we do not want tls,
Is there a way to disable node-to-node encryption and TLS while still having authentication for elasticsearch?
If yes, could you please help me with the required configurations for this?

Thanks & Regards,
Shivani

Hi,

no, TLS on the transport layer is one of the main building blocks regarding the Search Guard security architecture and thus cannot be disabled. Disabling inter-node TLS would open the Elasticsearch cluster to all sorts of attack scenarios.

It would be really helpful for us to understand what your concerns are regarding inter-node TLS. Why don’t you want to enable it for your use case?

Hi jkressin,
I have the same problem with shivani.aggarwal2195, while using tls, happens to get a problem of ‘javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure’, that will cause to loss nodes, then the cluster will be unstable, that’s a bug or other problems, we just want to use the base Auth, so, is any way to modify this problem, a similar error like ‘http://xwiz.cn/2018-05-09-java-ssl-ciphersuite’, expired to get your reply
thanks!

In order to debug this, I would need to see your elasticsearch.yml configuration and the full stack trace from the Elasticsearch log file.

If you have trouble setting up TLS, I highly recommend using our TLS offline tool. It provides an easy way to generate production-ready certificates that can be used with Search Guard:

the ES configuration is like below:
http.cors.allow-headers: “Authorization,X-Requested-With,- Content-Length,Content-Type”
xpack.security.enabled: false

xpack.ml.enabled: false
searchguard.ssl.transport.pemcert_filepath: tls_file/node.pem
searchguard.ssl.transport.pemkey_filepath: tls_file/node.key
searchguard.ssl.transport.pemkey_password: search-guard-pk

searchguard.ssl.transport.pemtrustedcas_filepath: tls_file/root-ca.pem
searchguard.ssl.transport.enforce_hostname_verification: false
searchguard.ssl.transport.resolve_hostname: false
searchguard.ssl.http.enabled: true

searchguard.ssl.http.pemcert_filepath: tls_file/node_http.pem
searchguard.ssl.http.pemkey_filepath: tls_file/node_http.key
searchguard.ssl.http.pemkey_password: search-guard-pk
searchguard.ssl.http.pemtrustedcas_filepath: tls_file/root-ca.pem

searchguard.nodes_dn:

Thank you so much for your replies, we exactly to use the TLS offline tool to geneate certificates, and search-guard also has tooken effect, and cluster also run well, but this problem appears accidentally, may be once a day or once two days, the trace is like below:


Up to now, we have removed SG from our product cluster, so, is hard to get more info, any suggestions for us?

The elasticsearch version is 6.5.3,and the SG version is also 6.5.3.

So if you have used the TLS tool, and the cluster also runs fine, and the exception only happens every one or two days, I think it cannot be a general configuration problem. If it would be, you would see more exceptions, most probably already on node startup.

My best guess at the moment is that this is due to network issues, probably latency or a timeout. See also here:


Do you see any load spikes on the machine(s) when this happens? Any network issues?

Yea, Some ‘ping Time_out’ exactly occurred at that time, but after removing SG, so far cluster has no problems, so we think that if TLS has some Potential problems, may be short time network issues will cause a serious problem, we will also study the suggests above,

thanks so much!

Yea, Some ‘ping Time_out’ exactly occurred at that time, but after removing SG, so far cluster has no problems, so we think that if TLS has some Potential problems, may be short time network issues will cause a serious problem, we will also study the suggests above, as a temporary solution is using SG without tls and only use baseauth, any suggestions?

thanks so much!

This suggests that your cluster/network is probably already working on it’s limits? TLS adds some performance overhead of course, the amount varies depending on your machines (e.g. hardware support for encryption or not) and the chosen ciphers and encryption algorithms. It’s probably anywhere between 5% and 15%.

As with other security solutions for ES, TLS on transport layer is a central point in the security infrastructure and cannot be turned off.

1 Like

Thank you so much, our cluster looks working well without any auth, network and other machine indicators also look well, it’s surprising, we will follow the sg forum.

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.