We are getting SSL/TLS Diffie-Hellman Modulus <= 1024 Bits (Logjam) vulnerability error. By default search guard uses which cipher ?
By default, this entirely depends on the Java version you are using to run Elasticsearch.
On which Java does your Elasticsearch run? Also, which version of Elasticsearch are you using? And which version of Search Guard?
Java version is “JAVA_RELEASE”: “11.0.7”.
ES DB Version is 7.8.0
If you have not configured anything else in Search Guard, or Java, Java 11 uses the following cypher suites by default:
Coming to the logjam issue: You can two options to address it:
To circumvent the problem, you have several options:
-
Add the JVM parameter
-Djdk.tls.ephemeralDHKeySize=matched
to the fileconfig/jvm.options
on all ES nodes. See here for details: https://docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/JSSERefGuide.html#customizing_dh_keys -
Disable all affected ciphers. You can use the Search Guard options
searchguard.ssl.transport.enabled_ciphers
andsearchguard.ssl.http.enabled_ciphers
inelasticsearch.yml
to configure the ciphers. See here https://weakdh.org/sysadmin.html for “good” ciphers and general recommendations on the topic.
You can also have a look at our docs for an example on how to configure ciphers and TLS protocols:
This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.