Searchguard Not Picking Up http.enabled_protocols

Search Guard
1

I am trying to limit communication to my ES cluster to TLSv1.2. When I set the enabled protocol for the transport layer it works no problem. When I do the same thing for the http layer nothing happens and I get a note in the ES log informing me it has enabled both TLSv1.1 and TLSv1.2. I have also tried limiting the ciphers using searchguard.ssl.http.enabled_ciphers to

  • “TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384”

  • “TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384”

  • “TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384”

  • “TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384”

  • “TLS_DHE_DSS_WITH_AES_256_CBC_SHA256”

  • “TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256”

  • “TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256”

  • “TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256”

  • “TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256”

  • “TLS_DHE_DSS_WITH_AES_128_CBC_SHA256”

  • “TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384”

  • “TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256”

  • “TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384”

  • “TLS_RSA_WITH_AES_256_GCM_SHA384”

  • “TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384”

  • “TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384”

  • “TLS_DHE_DSS_WITH_AES_256_GCM_SHA384”

  • “TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256”

  • “TLS_RSA_WITH_AES_128_GCM_SHA256”

  • “TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256”

  • “TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256”

  • “TLS_DHE_DSS_WITH_AES_128_GCM_SHA256”

  • “TLS_EMPTY_RENEGOTIATION_INFO_SCSVF”

but was able to connect with ECDHE-RSA-AES128-SHA.

Is the configuration honored for the http layer? Do I need to run SGAdmin.bat again? I didn’t seem to need to for the transport layer.

When asking questions, please provide the following information:

  • Search Guard and Elasticsearch version: ES 6.1.1 and SearchGuard 6.1.1-25

  • Installed and used enterprise modules, if any - None

  • JVM version and operating system version - 1.8.144 on windows

  • Search Guard configuration files

  searchguard.ssl.http.enabled_protocols:
- "TLSv1.2"

  • Elasticsearch log messages on debug level

  • Other installed Elasticsearch or Kibana plugins, if any - None

2

can not reproduce. You need to add searchguard.ssl.http.enabled_ciphers and searchguard.ssl.http.enabled_protocols in elasticsearch.yml
After that node must be restarted. sgadmin needs not to be executed for that.

Pls send you elasticsearch.yml along with the full logs when the node starts, something like

[2018-01-23T18:30:47,993][INFO ][o.e.e.NodeEnvironment ] [searchguard_testnode_1] using [1] data paths, mounts [[/ (/dev/disk1)]], net usable_space [60.8gb], net total_space [464.7gb], types [hfs]
[2018-01-23T18:30:47,995][INFO ][o.e.e.NodeEnvironment ] [searchguard_testnode_1] heap size [3.5gb], compressed ordinary object pointers [true]
[2018-01-23T18:30:47,997][INFO ][o.e.n.Node ] [searchguard_testnode_1] node name [searchguard_testnode_1], node ID [miGltmSVSWKGKaJrXBj8oQ]
...
[2018-01-23T18:30:49,545][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] TLS Transport Client Provider : null
[2018-01-23T18:30:49,545][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] TLS Transport Server Provider : null
[2018-01-23T18:30:49,545][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] TLS HTTP Provider : JDK
[2018-01-23T18:30:49,545][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] Enabled TLS protocols for transport layer : [TLSv1.2, TLSv1.1]
[2018-01-23T18:30:49,546][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] Enabled TLS protocols for HTTP layer : [TLSv1.2]
...
[2018-01-23T18:30:55,874][INFO ][o.e.n.Node ] [searchguard_testnode_2] started

Check with one of the tools listed here:

···

Am 23.01.2018 um 16:38 schrieb Chris Stack <chris.stack@bigbear.io>:

I am trying to limit communication to my ES cluster to TLSv1.2. When I set the enabled protocol for the transport layer it works no problem. When I do the same thing for the http layer nothing happens and I get a note in the ES log informing me it has enabled both TLSv1.1 and TLSv1.2. I have also tried limiting the ciphers using searchguard.ssl.http.enabled_ciphers to
- "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384"
  - "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384"
  - "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384"
  - "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384"
  - "TLS_DHE_DSS_WITH_AES_256_CBC_SHA256"
  - "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256"
  - "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256"
  - "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256"
  - "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256"
  - "TLS_DHE_DSS_WITH_AES_128_CBC_SHA256"
  - "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"
  - "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"
  - "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"
  - "TLS_RSA_WITH_AES_256_GCM_SHA384"
  - "TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384"
  - "TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384"
  - "TLS_DHE_DSS_WITH_AES_256_GCM_SHA384"
  - "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"
  - "TLS_RSA_WITH_AES_128_GCM_SHA256"
  - "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256"
  - "TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256"
  - "TLS_DHE_DSS_WITH_AES_128_GCM_SHA256"
  - "TLS_EMPTY_RENEGOTIATION_INFO_SCSVF"

but was able to connect with ECDHE-RSA-AES128-SHA.

Is the configuration honored for the http layer? Do I need to run SGAdmin.bat again? I didn't seem to need to for the transport layer.

When asking questions, please provide the following information:

* Search Guard and Elasticsearch version: ES 6.1.1 and SearchGuard 6.1.1-25
* Installed and used enterprise modules, if any - None
* JVM version and operating system version - 1.8.144 on windows
* Search Guard configuration files
searchguard.ssl.http.enabled_protocols:
  - "TLSv1.2"

* Elasticsearch log messages on debug level
* Other installed Elasticsearch or Kibana plugins, if any - None

--
You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.
To post to this group, send email to search-guard@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/50de1b6a-c4bf-4c8f-a6e9-e974fef5e0a0%40googlegroups.com\.
For more options, visit https://groups.google.com/d/optout\.

3

I apologize, it ended being a different configuration issue.I can confirm it does work.

···

On Tue, Jan 23, 2018 at 12:42 PM, SG info@search-guard.com wrote:

can not reproduce. You need to add searchguard.ssl.http.enabled_ciphers and searchguard.ssl.http.enabled_protocols in elasticsearch.yml

After that node must be restarted. sgadmin needs not to be executed for that.

Pls send you elasticsearch.yml along with the full logs when the node starts, something like

[2018-01-23T18:30:47,993][INFO ][o.e.e.NodeEnvironment ] [searchguard_testnode_1] using [1] data paths, mounts [[/ (/dev/disk1)]], net usable_space [60.8gb], net total_space [464.7gb], types [hfs]

[2018-01-23T18:30:47,995][INFO ][o.e.e.NodeEnvironment ] [searchguard_testnode_1] heap size [3.5gb], compressed ordinary object pointers [true]

[2018-01-23T18:30:47,997][INFO ][o.e.n.Node ] [searchguard_testnode_1] node name [searchguard_testnode_1], node ID [miGltmSVSWKGKaJrXBj8oQ]

[2018-01-23T18:30:49,545][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] TLS Transport Client Provider : null

[2018-01-23T18:30:49,545][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] TLS Transport Server Provider : null

[2018-01-23T18:30:49,545][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] TLS HTTP Provider : JDK

[2018-01-23T18:30:49,545][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] Enabled TLS protocols for transport layer : [TLSv1.2, TLSv1.1]

[2018-01-23T18:30:49,546][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] Enabled TLS protocols for HTTP layer : [TLSv1.2]

[2018-01-23T18:30:55,874][INFO ][o.e.n.Node ] [searchguard_testnode_2] started

Check with one of the tools listed here:

https://superuser.com/questions/109213/how-do-i-list-the-ssl-tls-cipher-suites-a-particular-website-offers

Am 23.01.2018 um 16:38 schrieb Chris Stack chris.stack@bigbear.io:

I am trying to limit communication to my ES cluster to TLSv1.2. When I set the enabled protocol for the transport layer it works no problem. When I do the same thing for the http layer nothing happens and I get a note in the ES log informing me it has enabled both TLSv1.1 and TLSv1.2. I have also tried limiting the ciphers using searchguard.ssl.http.enabled_ciphers to

  • “TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384”
  • “TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384”
  • “TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384”
  • “TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384”
  • “TLS_DHE_DSS_WITH_AES_256_CBC_SHA256”
  • “TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256”
  • “TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256”
  • “TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256”
  • “TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256”
  • “TLS_DHE_DSS_WITH_AES_128_CBC_SHA256”
  • “TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384”
  • “TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256”
  • “TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384”
  • “TLS_RSA_WITH_AES_256_GCM_SHA384”
  • “TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384”
  • “TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384”
  • “TLS_DHE_DSS_WITH_AES_256_GCM_SHA384”
  • “TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256”
  • “TLS_RSA_WITH_AES_128_GCM_SHA256”
  • “TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256”
  • “TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256”
  • “TLS_DHE_DSS_WITH_AES_128_GCM_SHA256”
  • “TLS_EMPTY_RENEGOTIATION_INFO_SCSVF”

but was able to connect with ECDHE-RSA-AES128-SHA.

Is the configuration honored for the http layer? Do I need to run SGAdmin.bat again? I didn’t seem to need to for the transport layer.

When asking questions, please provide the following information:

  • Search Guard and Elasticsearch version: ES 6.1.1 and SearchGuard 6.1.1-25
  • Installed and used enterprise modules, if any - None
  • JVM version and operating system version - 1.8.144 on windows
  • Search Guard configuration files

searchguard.ssl.http.enabled_protocols:

  • “TLSv1.2”
  • Elasticsearch log messages on debug level
  • Other installed Elasticsearch or Kibana plugins, if any - None

You received this message because you are subscribed to the Google Groups “Search Guard Community Forum” group.

To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.

To post to this group, send email to search-guard@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/50de1b6a-c4bf-4c8f-a6e9-e974fef5e0a0%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

You received this message because you are subscribed to a topic in the Google Groups “Search Guard Community Forum” group.

To unsubscribe from this topic, visit https://groups.google.com/d/topic/search-guard/wlpKa3usVdw/unsubscribe.

To unsubscribe from this group and all its topics, send an email to search-guard+unsubscribe@googlegroups.com.

To post to this group, send email to search-guard@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/69338B6B-35A6-4C32-9239-DA0DB0BD6384%40search-guard.com.

For more options, visit https://groups.google.com/d/optout.

Chris Stack | Software Engineer

1001 Research Park Blvd, Suite 420 Charlottesville, VA 22911

Office: 434-284-5479 | Mobile: 804-683-5046 | chris.stack@bigbear.io | www.bigbear.io