sgtlsdiag.sh - no verification of keystore/truststore ?

Search Guard
1

Hi,

for diagnosting TLS errors I´ve tested “sgtlsdiag.sh” using the command

user@host:/path/to/search-guard-tlstool-1.5/tools> ./sgtlsdiag.sh -es /path/to/elasticsearch-6.2.4/config/elasticsearch.yml -v

``

All I got was:


Reading node config file /path/to/elasticsearch-6.2.4/config/elasticsearch.yml

``

Looking in the code at search-guard-tlstool/SearchGuardTlsDiagnosis.java at master · floragunncom/search-guard-tlstool · GitHub it looks like
the “Using Keystore and Truststore files” setup isn´t supported by that tool, right ?

If so, it would be helpful to get at least some output, just to notify the user that no analysis is possible because allCaFiles is empty.

Any other way to verify the current searchguard setup?

Thanx, Torsten

2

This is true. Since SG 6.x PEM certificates are the preferred way of configuration, so the TLS Tool does not support JKS. We will add the extended error message to the back log.

For troubleshooting TLS problems have a look at:

For JKS we usually recommend the Keystore Explorer Tool:

This is a GUI for the Java keytool command and makes it quite easy to check the contents of keystores.

···

On Thursday, June 28, 2018 at 3:28:41 PM UTC+2, Torsten Reinhard wrote:

Hi,

for diagnosting TLS errors I´ve tested “sgtlsdiag.sh” using the command

user@host:/path/to/search-guard-tlstool-1.5/tools> ./sgtlsdiag.sh -es /path/to/elasticsearch-6.2.4/config/elasticsearch.yml -v

``

All I got was:


Reading node config file /path/to/elasticsearch-6.2.4/config/elasticsearch.yml

``

Looking in the code at https://github.com/floragunncom/search-guard-tlstool/blob/master/src/main/java/com/floragunn/searchguard/tools/tlsdiag/SearchGuardTlsDiagnosis.java it looks like
the “Using Keystore and Truststore files” setup isn´t supported by that tool, right ?

If so, it would be helpful to get at least some output, just to notify the user that no analysis is possible because allCaFiles is empty.

Any other way to verify the current searchguard setup?

Thanx, Torsten

3

Hi,

thanx for your reply and for adding this to the backlog. A little bit more output would be helpful, especially when nothing was evaluated, or if the current config is not supported.

We will check, if we can easily switch from our *.jks based setup to the PEM based setup.

For the *.jks setup I´m already using the mentioned keystore Tool - but running into a problem I mentioned at Redirecting to Google Groups

Maybe you can have a look at this, too?

Thanx a lot !

Torsten

···

Am Freitag, 29. Juni 2018 10:07:24 UTC+2 schrieb Jochen Kressin:

This is true. Since SG 6.x PEM certificates are the preferred way of configuration, so the TLS Tool does not support JKS. We will add the extended error message to the back log.

For troubleshooting TLS problems have a look at:

https://docs.search-guard.com/latest/troubleshooting-tls

For JKS we usually recommend the Keystore Explorer Tool:

http://keystore-explorer.org/

This is a GUI for the Java keytool command and makes it quite easy to check the contents of keystores.

On Thursday, June 28, 2018 at 3:28:41 PM UTC+2, Torsten Reinhard wrote:

Hi,

for diagnosting TLS errors I´ve tested “sgtlsdiag.sh” using the command

user@host:/path/to/search-guard-tlstool-1.5/tools> ./sgtlsdiag.sh -es /path/to/elasticsearch-6.2.4/config/elasticsearch.yml -v

``

All I got was:


Reading node config file /path/to/elasticsearch-6.2.4/config/elasticsearch.yml

``

Looking in the code at https://github.com/floragunncom/search-guard-tlstool/blob/master/src/main/java/com/floragunn/searchguard/tools/tlsdiag/SearchGuardTlsDiagnosis.java it looks like
the “Using Keystore and Truststore files” setup isn´t supported by that tool, right ?

If so, it would be helpful to get at least some output, just to notify the user that no analysis is possible because allCaFiles is empty.

Any other way to verify the current searchguard setup?

Thanx, Torsten