Someone (null) speaks http plaintext instead of ssl, will close the channel


I’m using ES 7.0.1 cluster mode with 3 nodes on different servers. There are a lot of WARN: [c.f.s.s.h.n.SearchGuardSSLNettyHttpServerTransport] [uklvadsb0234] Someone (null) speaks http plaintext instead of ssl, will close the channel

in the es node logs after sg is pluged in. I also enabled debug log config but nothing special appears either.

I just followed the " demo installation" steps and nothing special configuration.

Here is the sg config in elasticsearch.yaml

######## Start Search Guard Demo Configuration ########

WARNING: revise all the lines below before you go into production

searchguard.ssl.transport.pemcert_filepath: esnode.pem
searchguard.ssl.transport.pemkey_filepath: esnode-key.pem
searchguard.ssl.transport.pemtrustedcas_filepath: root-ca.pem
searchguard.ssl.transport.enforce_hostname_verification: false
searchguard.ssl.http.enabled: true
searchguard.ssl.http.pemcert_filepath: esnode.pem
searchguard.ssl.http.pemkey_filepath: esnode-key.pem
searchguard.ssl.http.pemtrustedcas_filepath: root-ca.pem
searchguard.allow_unsafe_democertificates: true
searchguard.allow_default_init_sgindex: true

  • CN=kirk,OU=client,O=client,L=test, C=de

searchguard.audit.type: internal_elasticsearch
searchguard.enable_snapshot_restore_privilege: true
searchguard.check_snapshot_restore_write_privileges: true
searchguard.restapi.roles_enabled: [“SGS_ALL_ACCESS”]
node.max_local_storage_nodes: 3 false
xpack.monitoring.enabled: true
######## End Search Guard Demo Configuration ########

I have no clue with it, please help with this. thank you in advance.

In your elasticsearch.yml you have enabled SSL for the Elasticsearch HTTP layer:

searchguard.ssl.http.enabled: true

The error message

Someone (null) speaks http plaintext instead of ssl, will close the channel

means that either a user or a service tries to access Elasticsearch with HTTP instead of HTTPS. if SSL is enabled on REST, only HTTPS connections are allowed.

hi jkressin,

Thank you very much for your reply.
sorry it is from other process indeed. By the way what if I disable the ssl http configuration to searchguard.ssl.http.enabled: false, does it mean that http client connection will be established via http without SSL but the username & password is still required ?
Thank you

These are two different things. SSL is for securing and encrypting the traffic between a client and Elasticsearch, it is not used for authentication and authorization (apart from TLS client cert auth, but that’s not relevant here).

If you disable HTTPS by setting searchguard.ssl.http.enabled: false, then the traffic is unencrypted and can be sniffed by anyone.

Authentication then comes on top of TLS / HTTPS. Search Guard supports a wide range of authentication types:

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.