REST SSL issues

Hi all,

I am using search-guard 0.5 with ElasticSearch 1.6. I have been able to get internode communication with SSL going, thanks to the cert-generation sample scripts, which makes things amply clear.

However, with REST SSL I am seeing some issues. Here is my configuration. I am using jre cacerts for keystore, since I will be accessing this api from the browser. So, the cacerts from jre should be able to match ones in the browser. For the truststore, I took a cert that is assigned to my machine and created a truststore2.jks from that.

I am wondering if that is correct. It does not seem to work.

Enable or disable the complete Searchguard plugin functionality

searchguard.enabled: true

Path where to write/read the searchguard master key file

searchguard.key_path: /usr/share/elasticsearch/plugins

When using DLS or FLS and a get or mget is performed then rewrite it as search request

#searchguard.rewrite_get_as_search: true

searchguard.check_for_root: false

searchguard.allow_all_from_loopback: true

ยทยทยท

#############################################################################################

Transport layer SSL

#############################################################################################

Enable or disable node-to-node ssl encryption

searchguard.ssl.transport.node.enabled: true

JKS or PKCS12

searchguard.ssl.transport.node.keystore_type: JKS

Absolute path to the keystore file (this stores the server certificates)

searchguard.ssl.transport.node.keystore_filepath: /usr/java/latest/lib/security/node-0-keystore.jks

Keystore password

searchguard.ssl.transport.node.keystore_password: kspass

Do other nodes have to authenticate themself to the cluster, default is true

searchguard.ssl.transport.node.enforce_clientauth: true

JKS or PKCS12

searchguard.ssl.transport.node.truststore_type: JKS

Absolute path to the truststore file (this stores the client certificates)

searchguard.ssl.transport.node.truststore_filepath: /usr/java/latest/lib/security/truststore.jks

Truststore password

searchguard.ssl.transport.node.truststore_password: tspass

Enforce hostname verification

searchguard.ssl.transport.node.enforce_hostname_verification: true

If hostname verification specify if hostname should be resolved

searchguard.ssl.transport.node.enforce_hostname_verification.resolve_host_name: true

#############################################################################################

REST layer SSL

#############################################################################################

Enable or disable rest layer security (https)

searchguard.ssl.transport.http.enabled: true

JKS or PKCS12

searchguard.ssl.transport.http.keystore_type: JKS

Absolute path to the keystore file (this stores the server certificates)

searchguard.ssl.transport.http.keystore_filepath: /usr/java/latest/lib/security/cacerts

Keystore password

searchguard.ssl.transport.http.keystore_password: changeit

Do the clients (typically the browser or the proxy) have to authenticate themself to the http server, default is false

searchguard.ssl.transport.http.enforce_clientauth: true

JKS or PKCS12

searchguard.ssl.transport.http.truststore_type: JKS

Absolute path to the truststore file (this stores the client certificates)

searchguard.ssl.transport.http.truststore_filepath: /usr/java/latest/lib/security/truststore2.jks

Truststore password

searchguard.ssl.transport.http.truststore_password: foobar

#############################################################################################

Authentication backend

#############################################################################################

Validates the username and credentials

searchguard.authentication.authentication_backend.impl: com.floragunn.searchguard.authentication.backend.simple.SettingsBasedAuthenticationBackend

If caching is enabled then the authentication succeed for 24 h since the first successful login without hitting the backend again and again

searchguard.authentication.authentication_backend.cache.enable: true

#####################################################

Settings based authentication (define users and password directly here in the settings. Note: this is per node)

#searchguard.authentication.settingsdb.user.: password

#searchguard.authentication.settingsdb.user.user1: password

searchguard.authentication.settingsdb.user.pshah: foobar

If plain text password should be hashed use this. Supported digests are: SHA1 SHA256 SHA384 SHA512 MD5

searchguard.authentication.settingsdb.digest: SHA1

searchguard.authentication.settingsdb.user.pshah: f741cc7d1aaaa5fc112607b46a765ab7df014dd2

#####################################################

I am seeing the following issue:

2015-08-16 14:49:59,221][WARN ][com.floragunn.searchguard.http.netty.SSLNettyHttpServerTransport] [Scarlet Centurion] Caught exception while handling client http traffic, closing connection [id: 0x65dce709, /10.21.50.36:53330 => /10.21.44.117:9200]

javax.net.ssl.SSLHandshakeException: no cipher suites in common

at sun.security.ssl.Handshaker.checkThrown(Unknown Source)

at sun.security.ssl.SSLEngineImpl.checkTaskThrown(Unknown Source)

at sun.security.ssl.SSLEngineImpl.readNetRecord(Unknown Source)

at sun.security.ssl.SSLEngineImpl.unwrap(Unknown Source)

at javax.net.ssl.SSLEngine.unwrap(Unknown Source)

at org.elasticsearch.common.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1218)

at org.elasticsearch.common.netty.handler.ssl.SslHandler.decode(SslHandler.java:852)

at org.elasticsearch.common.netty.handler.codec.frame.FrameDecoder.callDecode(FrameDecoder.java:425)

at org.elasticsearch.common.netty.handler.codec.frame.FrameDecoder.messageReceived(FrameDecoder.java:303)

at org.elasticsearch.common.netty.channel.SimpleChannelUpstreamHandler.handleUpstream(SimpleChannelUpstreamHandler.java:70)

at org.elasticsearch.common.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:564)

at org.elasticsearch.common.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:559)

at org.elasticsearch.common.netty.channel.Channels.fireMessageReceived(Channels.java:268)

at org.elasticsearch.common.netty.channel.Channels.fireMessageReceived(Channels.java:255)

at org.elasticsearch.common.netty.channel.socket.nio.NioWorker.read(NioWorker.java:88)

at org.elasticsearch.common.netty.channel.socket.nio.AbstractNioWorker.process(AbstractNioWorker.java:108)

at org.elasticsearch.common.netty.channel.socket.nio.AbstractNioSelector.run(AbstractNioSelector.java:337)

at org.elasticsearch.common.netty.channel.socket.nio.AbstractNioWorker.run(AbstractNioWorker.java:89)

at org.elasticsearch.common.netty.channel.socket.nio.NioWorker.run(NioWorker.java:178)

at org.elasticsearch.common.netty.util.ThreadRenamingRunnable.run(ThreadRenamingRunnable.java:108)

at org.elasticsearch.common.netty.util.internal.DeadLockProofWorker$1.run(DeadLockProofWorker.java:42)

at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)

at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)

at java.lang.Thread.run(Unknown Source)

Caused by: javax.net.ssl.SSLHandshakeException: no cipher suites in common

at sun.security.ssl.Alerts.getSSLException(Unknown Source)

at sun.security.ssl.SSLEngineImpl.fatal(Unknown Source)

at sun.security.ssl.Handshaker.fatalSE(Unknown Source)

at sun.security.ssl.Handshaker.fatalSE(Unknown Source)

at sun.security.ssl.ServerHandshaker.chooseCipherSuite(Unknown Source)

at sun.security.ssl.ServerHandshaker.clientHello(Unknown Source)

at sun.security.ssl.ServerHandshaker.processMessage(Unknown Source)

at sun.security.ssl.Handshaker.processLoop(Unknown Source)

at sun.security.ssl.Handshaker$1.run(Unknown Source)

at sun.security.ssl.Handshaker$1.run(Unknown Source)

at java.security.AccessController.doPrivileged(Native Method)

at sun.security.ssl.Handshaker$DelegatedTask.run(Unknown Source)

at org.elasticsearch.common.netty.handler.ssl.SslHandler.runDelegatedTasks(SslHandler.java:1392)

at org.elasticsearch.common.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1255)

... 18 more

[2015-08-16 14:49:59,273][WARN ][com.floragunn.searchguard.http.netty.SSLNettyHttpServerTransport] [Scarlet Centurion] Caught exception while handling client http traffic, closing connection [id: 0x3b47e432, /10.21.50.36:53331 => /10.21.44.117:9200]

javax.net.ssl.SSLHandshakeException: no cipher suites in common

at sun.security.ssl.Handshaker.checkThrown(Unknown Source)

at sun.security.ssl.SSLEngineImpl.checkTaskThrown(Unknown Source)

at sun.security.ssl.SSLEngineImpl.readNetRecord(Unknown Source)

at sun.security.ssl.SSLEngineImpl.unwrap(Unknown Source)

at javax.net.ssl.SSLEngine.unwrap(Unknown Source)

at org.elasticsearch.common.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1218)

at org.elasticsearch.common.netty.handler.ssl.SslHandler.decode(SslHandler.java:852)

at org.elasticsearch.common.netty.handler.codec.frame.FrameDecoder.callDecode(FrameDecoder.java:425)

at org.elasticsearch.common.netty.handler.codec.frame.FrameDecoder.messageReceived(FrameDecoder.java:303)

at org.elasticsearch.common.netty.channel.SimpleChannelUpstreamHandler.handleUpstream(SimpleChannelUpstreamHandler.java:70)

at org.elasticsearch.common.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:564)

at org.elasticsearch.common.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:559)

at org.elasticsearch.common.netty.channel.Channels.fireMessageReceived(Channels.java:268)

at org.elasticsearch.common.netty.channel.Channels.fireMessageReceived(Channels.java:255)

at org.elasticsearch.common.netty.channel.socket.nio.NioWorker.read(NioWorker.java:88)

at org.elasticsearch.common.netty.channel.socket.nio.AbstractNioWorker.process(AbstractNioWorker.java:108)

at org.elasticsearch.common.netty.channel.socket.nio.AbstractNioSelector.run(AbstractNioSelector.java:337)

at org.elasticsearch.common.netty.channel.socket.nio.AbstractNioWorker.run(AbstractNioWorker.java:89)

at org.elasticsearch.common.netty.channel.socket.nio.NioWorker.run(NioWorker.java:178)

at org.elasticsearch.common.netty.util.ThreadRenamingRunnable.run(ThreadRenamingRunnable.java:108)

at org.elasticsearch.common.netty.util.internal.DeadLockProofWorker$1.run(DeadLockProofWorker.java:42)

at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)

at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)

at java.lang.Thread.run(Unknown Source)

Caused by: javax.net.ssl.SSLHandshakeException: no cipher suites in common

at sun.security.ssl.Alerts.getSSLException(Unknown Source)

at sun.security.ssl.SSLEngineImpl.fatal(Unknown Source)

at sun.security.ssl.Handshaker.fatalSE(Unknown Source)

at sun.security.ssl.Handshaker.fatalSE(Unknown Source)

at sun.security.ssl.ServerHandshaker.chooseCipherSuite(Unknown Source)

at sun.security.ssl.ServerHandshaker.clientHello(Unknown Source)

at sun.security.ssl.ServerHandshaker.processMessage(Unknown Source)

at sun.security.ssl.Handshaker.processLoop(Unknown Source)

at sun.security.ssl.Handshaker$1.run(Unknown Source)

at sun.security.ssl.Handshaker$1.run(Unknown Source)

at java.security.AccessController.doPrivileged(Native Method)

at sun.security.ssl.Handshaker$DelegatedTask.run(Unknown Source)

at org.elasticsearch.common.netty.handler.ssl.SslHandler.runDelegatedTasks(SslHandler.java:1392)

at org.elasticsearch.common.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1255)

... 18 more

[2015-08-16 14:49:59,317][WARN ][com.floragunn.searchguard.http.netty.SSLNettyHttpServerTransport] [Scarlet Centurion] Caught exception while handling client http traffic, closing connection [id: 0xb18da9a8, /10.21.50.36:53332 => /10.21.44.117:9200]

javax.net.ssl.SSLHandshakeException: no cipher suites in common

at sun.security.ssl.Handshaker.checkThrown(Unknown Source)

at sun.security.ssl.SSLEngineImpl.checkTaskThrown(Unknown Source)

at sun.security.ssl.SSLEngineImpl.readNetRecord(Unknown Source)

at sun.security.ssl.SSLEngineImpl.unwrap(Unknown Source)

at javax.net.ssl.SSLEngine.unwrap(Unknown Source)

at org.elasticsearch.common.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1218)

at org.elasticsearch.common.netty.handler.ssl.SslHandler.decode(SslHandler.java:852)

at org.elasticsearch.common.netty.handler.codec.frame.FrameDecoder.callDecode(FrameDecoder.java:425)

at org.elasticsearch.common.netty.handler.codec.frame.FrameDecoder.messageReceived(FrameDecoder.java:303)

at org.elasticsearch.common.netty.channel.SimpleChannelUpstreamHandler.handleUpstream(SimpleChannelUpstreamHandler.java:70)

at org.elasticsearch.common.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:564)

at org.elasticsearch.common.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:559)

at org.elasticsearch.common.netty.channel.Channels.fireMessageReceived(Channels.java:268)

at org.elasticsearch.common.netty.channel.Channels.fireMessageReceived(Channels.java:255)

at org.elasticsearch.common.netty.channel.socket.nio.NioWorker.read(NioWorker.java:88)

at org.elasticsearch.common.netty.channel.socket.nio.AbstractNioWorker.process(AbstractNioWorker.java:108)

at org.elasticsearch.common.netty.channel.socket.nio.AbstractNioSelector.run(AbstractNioSelector.java:337)

at org.elasticsearch.common.netty.channel.socket.nio.AbstractNioWorker.run(AbstractNioWorker.java:89)

at org.elasticsearch.common.netty.channel.socket.nio.NioWorker.run(NioWorker.java:178)

at org.elasticsearch.common.netty.util.ThreadRenamingRunnable.run(ThreadRenamingRunnable.java:108)

at org.elasticsearch.common.netty.util.internal.DeadLockProofWorker$1.run(DeadLockProofWorker.java:42)

at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)

at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)

at java.lang.Thread.run(Unknown Source)

Caused by: javax.net.ssl.SSLHandshakeException: no cipher suites in common

at sun.security.ssl.Alerts.getSSLException(Unknown Source)

at sun.security.ssl.SSLEngineImpl.fatal(Unknown Source)

at sun.security.ssl.Handshaker.fatalSE(Unknown Source)

at sun.security.ssl.Handshaker.fatalSE(Unknown Source)

at sun.security.ssl.ServerHandshaker.chooseCipherSuite(Unknown Source)

at sun.security.ssl.ServerHandshaker.clientHello(Unknown Source)

at sun.security.ssl.ServerHandshaker.processMessage(Unknown Source)

at sun.security.ssl.Handshaker.processLoop(Unknown Source)

at sun.security.ssl.Handshaker$1.run(Unknown Source)

at sun.security.ssl.Handshaker$1.run(Unknown Source)

at java.security.AccessController.doPrivileged(Native Method)

at sun.security.ssl.Handshaker$DelegatedTask.run(Unknown Source)

at org.elasticsearch.common.netty.handler.ssl.SslHandler.runDelegatedTasks(SslHandler.java:1392)

at org.elasticsearch.common.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1255)

... 18 more

[2015-08-16 14:49:59,354][WARN ][com.floragunn.searchguard.http.netty.SSLNettyHttpServerTransport] [Scarlet Centurion] Caught exception while handling client http traffic, closing connection [id: 0x28f41e0b, /10.21.50.36:53333 => /10.21.44.117:9200]

javax.net.ssl.SSLHandshakeException: no cipher suites in common

at sun.security.ssl.Handshaker.checkThrown(Unknown Source)

at sun.security.ssl.SSLEngineImpl.checkTaskThrown(Unknown Source)

at sun.security.ssl.SSLEngineImpl.readNetRecord(Unknown Source)

at sun.security.ssl.SSLEngineImpl.unwrap(Unknown Source)

at javax.net.ssl.SSLEngine.unwrap(Unknown Source)

at org.elasticsearch.common.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1218)

at org.elasticsearch.common.netty.handler.ssl.SslHandler.decode(SslHandler.java:852)

at org.elasticsearch.common.netty.handler.codec.frame.FrameDecoder.callDecode(FrameDecoder.java:425)

at org.elasticsearch.common.netty.handler.codec.frame.FrameDecoder.messageReceived(FrameDecoder.java:303)

at org.elasticsearch.common.netty.channel.SimpleChannelUpstreamHandler.handleUpstream(SimpleChannelUpstreamHandler.java:70)

at org.elasticsearch.common.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:564)

at org.elasticsearch.common.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:559)

at org.elasticsearch.common.netty.channel.Channels.fireMessageReceived(Channels.java:268)

at org.elasticsearch.common.netty.channel.Channels.fireMessageReceived(Channels.java:255)

at org.elasticsearch.common.netty.channel.socket.nio.NioWorker.read(NioWorker.java:88)

at org.elasticsearch.common.netty.channel.socket.nio.AbstractNioWorker.process(AbstractNioWorker.java:108)

at org.elasticsearch.common.netty.channel.socket.nio.AbstractNioSelector.run(AbstractNioSelector.java:337)

at org.elasticsearch.common.netty.channel.socket.nio.AbstractNioWorker.run(AbstractNioWorker.java:89)

at org.elasticsearch.common.netty.channel.socket.nio.NioWorker.run(NioWorker.java:178)

at org.elasticsearch.common.netty.util.ThreadRenamingRunnable.run(ThreadRenamingRunnable.java:108)

at org.elasticsearch.common.netty.util.internal.DeadLockProofWorker$1.run(DeadLockProofWorker.java:42)

at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)

at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)

at java.lang.Thread.run(Unknown Source)

Caused by: javax.net.ssl.SSLHandshakeException: no cipher suites in common

at sun.security.ssl.Alerts.getSSLException(Unknown Source)

at sun.security.ssl.SSLEngineImpl.fatal(Unknown Source)

at sun.security.ssl.Handshaker.fatalSE(Unknown Source)

at sun.security.ssl.Handshaker.fatalSE(Unknown Source)

at sun.security.ssl.ServerHandshaker.chooseCipherSuite(Unknown Source)

at sun.security.ssl.ServerHandshaker.clientHello(Unknown Source)

at sun.security.ssl.ServerHandshaker.processMessage(Unknown Source)

at sun.security.ssl.Handshaker.processLoop(Unknown Source)

at sun.security.ssl.Handshaker$1.run(Unknown Source)

at sun.security.ssl.Handshaker$1.run(Unknown Source)

at java.security.AccessController.doPrivileged(Native Method)

at sun.security.ssl.Handshaker$DelegatedTask.run(Unknown Source)

at org.elasticsearch.common.netty.handler.ssl.SslHandler.runDelegatedTasks(SslHandler.java:1392)

at org.elasticsearch.common.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1255)

... 18 more