We are getting SSL/TLS Diffie-Hellman Modulus <= 1024 Bits (Logjam) vulnerability error. By default search guard uses which cipher ?
By default, this entirely depends on the Java version you are using to run Elasticsearch.
On which Java does your Elasticsearch run? Also, which version of Elasticsearch are you using? And which version of Search Guard?
Java version is “JAVA_RELEASE”: “11.0.7”.
ES DB Version is 7.8.0
If you have not configured anything else in Search Guard, or Java, Java 11 uses the following cypher suites by default:
Coming to the logjam issue: You can two options to address it:
To circumvent the problem, you have several options:
Add the JVM parameter
-Djdk.tls.ephemeralDHKeySize=matchedto the file
config/jvm.optionson all ES nodes. See here for details: https://docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/JSSERefGuide.html#customizing_dh_keys
Disable all affected ciphers. You can use the Search Guard options
elasticsearch.ymlto configure the ciphers. See here https://weakdh.org/sysadmin.html for “good” ciphers and general recommendations on the topic.
@nils : Thank you for your support.
You can also have a look at our docs for an example on how to configure ciphers and TLS protocols: