The sequence of TLS Version protocols are different

chintushah46 · September 14, 2020, 11:39pm

Hi,

I am curious to know the reason for the different sequence of the TLS Version when we start the elasticsearch. Following is the output for two different versions,

6.3.1:
[INFO ][c.f.s.s.DefaultSearchGuardKeyStore] TLS Transport Client Provider : JDK
[INFO ][c.f.s.s.DefaultSearchGuardKeyStore] TLS Transport Server Provider : JDK
[INFO ][c.f.s.s.DefaultSearchGuardKeyStore] TLS HTTP Provider : JDK
[INFO ][c.f.s.s.DefaultSearchGuardKeyStore] Enabled TLS protocols for transport layer : [TLSv1.1, TLSv1.2]
[INFO ][c.f.s.s.DefaultSearchGuardKeyStore] Enabled TLS protocols for HTTP layer : [TLSv1.1, TLSv1.2]

7.7.1
[INFO ][c.f.s.s.DefaultSearchGuardKeyStore] [CAD206] TLS Transport Client Provider : JDK
[INFO ][c.f.s.s.DefaultSearchGuardKeyStore] [CAD206] TLS Transport Server Provider : JDK
[INFO ][c.f.s.s.DefaultSearchGuardKeyStore] [CAD206] TLS HTTP Provider : JDK
[INFO ][c.f.s.s.DefaultSearchGuardKeyStore] [CAD206] Enabled TLS protocols for transport layer : [TLSv1.3, TLSv1.2, TLSv1.1]
[INFO ][c.f.s.s.DefaultSearchGuardKeyStore] [CAD206] Enabled TLS protocols for HTTP layer : [TLSv1.3, TLSv1.2, TLSv1.1]

Does it select the version of TLS based on the sequence?

srgbnd · September 15, 2020, 8:38am

Hi.
What TLS protocol versions did you specify in elasticsearch.yml? Look for the options searchguard.ssl.http.enabled_protocols and searchguard.ssl.transport.enabled_protocols.

chintushah46 · September 15, 2020, 11:16am

Thank you for the response.

I have not mentioned any of the protocol versions in elasticsearch.yml, and I know I can use that setting to ask elasticsearch/searchguard to use a specific version of TLS.

But over here my question is why the sequence of “Enabled TLS protocols” has changed and if it’s changed what is the preference of selecting a version from the list?

cstaley · September 15, 2020, 2:23pm

The order of the versions should be not significiant.

The respective RFCs RFC 5246: The Transport Layer Security (TLS) Protocol Version 1.2 describe that during protocol negotiation the highest version supported by server and client should be selected. Thus, the version determines the priority, not the order of the versions.

system · October 6, 2020, 2:23pm

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
How to enable specific TLS version on transport port Search Guard	2	415	December 19, 2017
Setting up specific tls versions and allowed ciphers. Search Guard	4	390	May 25, 2016
7.0 upgrade assistant Search Guard SSL warning Search Guard	4	956	May 3, 2019
TLSv1.3 is not working Search Guard	4	1247	May 6, 2021
Curl command to check TLS version for port Search Guard	6	362	July 12, 2023

The sequence of TLS Version protocols are different

Related Topics