[search-guard group] Elasticsearch-PHP Configuration

see the note on libcurl: Security | Elasticsearch-PHP [8.11] | Elastic

Make sure libcurl (on you PHP server) is compiled with TLSv1.1 or TLSv1.2 support and verify that you can so something like this:

curl -Ss --tlsv1.2 --cacert search-guard-ssl/example-pki-scripts/ca/root-ca.pem https://localhost:9200 (on PHP server)

If this does not work pls post the output of "curl -V" and "curl -help | grep -i tls" (on PHP server)

This should look like:

search-guard git:(master) ✗ curl -V
curl 7.49.1 (x86_64-apple-darwin14.5.0) libcurl/7.49.1 OpenSSL/1.0.2h zlib/1.2.5
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp smb smbs smtp smtps telnet tftp
Features: IPv6 Largefile NTLM NTLM_WB SSL libz TLS-SRP UnixSockets

search-guard git:(master) ✗ curl -help | grep -i tls
     --false-start Enable TLS False Start.
     --ftp-ssl-control Require SSL/TLS for FTP login, clear for transfer (F)
     --no-alpn Disable the ALPN TLS extension (H)
     --no-npn Disable the NPN TLS extension (H)
     --ssl Try SSL/TLS (FTP, IMAP, POP3, SMTP)
     --ssl-reqd Require SSL/TLS (FTP, IMAP, POP3, SMTP)
-1, --tlsv1 Use >= TLSv1 (SSL)
     --tlsv1.0 Use TLSv1.0 (SSL)
     --tlsv1.1 Use TLSv1.1 (SSL)
     --tlsv1.2 Use TLSv1.2 (SSL)
     --tlsuser USER TLS username
     --tlspassword STRING TLS password
     --tlsauthtype STRING TLS authentication type (default: SRP)


Am 31.08.2016 um 05:40 schrieb Bernie Carolan <bernie.carolan@gmail.com>:

Have installed the latest SearchGuard-SSL and everything works fine, Logstash, Kibana etc.

I would like to access the ES cluster using the Elasticsearch-PHP 2.0 API. Outlined in the documentation is the following setup:

$hosts = ['https://localhost:9200'];

= 'path/to/cacert.pem';

= ClientBuilder::create()




I've tried setting the certificate to the generated root-ca.pem that works with Kibana, but I get the following error from SG:

SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca

Is there something else that has to be configured?

You received this message because you are subscribed to the Google Groups "Search Guard" group.
To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.
To post to this group, send email to search-guard@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/f8e2d84d-93d0-4108-b458-4b80c85b2390%40googlegroups.com\.
For more options, visit https://groups.google.com/d/optout\.