SSL/TLS Diffie-Hellman Modulus <= 1024 Bits (Logjam)

We are getting SSL/TLS Diffie-Hellman Modulus <= 1024 Bits (Logjam) vulnerability error. By default search guard uses which cipher ?

By default, this entirely depends on the Java version you are using to run Elasticsearch.

On which Java does your Elasticsearch run? Also, which version of Elasticsearch are you using? And which version of Search Guard?

Java version is “JAVA_RELEASE”: “11.0.7”.
ES DB Version is 7.8.0

If you have not configured anything else in Search Guard, or Java, Java 11 uses the following cypher suites by default:

https://docs.oracle.com/en/java/javase/11/docs/specs/security/standard-names.html#jsse-cipher-suite-names

Coming to the logjam issue: You can two options to address it:

To circumvent the problem, you have several options:

• Add the JVM parameter -Djdk.tls.ephemeralDHKeySize=matched to the file config/jvm.options on all ES nodes. See here for details: https://docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/JSSERefGuide.html#customizing_dh_keys

• Disable all affected ciphers. You can use the Search Guard options searchguard.ssl.transport.enabled_ciphers and searchguard.ssl.http.enabled_ciphers in elasticsearch.yml to configure the ciphers. See here https://weakdh.org/sysadmin.html for “good” ciphers and general recommendations on the topic.

@nils : Thank you for your support.

You can also have a look at our docs for an example on how to configure ciphers and TLS protocols:

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.