The sequence of TLS Version protocols are different

Hi,

I am curious to know the reason for the different sequence of the TLS Version when we start the elasticsearch. Following is the output for two different versions,

6.3.1:
[INFO ][c.f.s.s.DefaultSearchGuardKeyStore] TLS Transport Client Provider : JDK
[INFO ][c.f.s.s.DefaultSearchGuardKeyStore] TLS Transport Server Provider : JDK
[INFO ][c.f.s.s.DefaultSearchGuardKeyStore] TLS HTTP Provider : JDK
[INFO ][c.f.s.s.DefaultSearchGuardKeyStore] Enabled TLS protocols for transport layer : [TLSv1.1, TLSv1.2]
[INFO ][c.f.s.s.DefaultSearchGuardKeyStore] Enabled TLS protocols for HTTP layer : [TLSv1.1, TLSv1.2]

7.7.1
[INFO ][c.f.s.s.DefaultSearchGuardKeyStore] [CAD206] TLS Transport Client Provider : JDK
[INFO ][c.f.s.s.DefaultSearchGuardKeyStore] [CAD206] TLS Transport Server Provider : JDK
[INFO ][c.f.s.s.DefaultSearchGuardKeyStore] [CAD206] TLS HTTP Provider : JDK
[INFO ][c.f.s.s.DefaultSearchGuardKeyStore] [CAD206] Enabled TLS protocols for transport layer : [TLSv1.3, TLSv1.2, TLSv1.1]
[INFO ][c.f.s.s.DefaultSearchGuardKeyStore] [CAD206] Enabled TLS protocols for HTTP layer : [TLSv1.3, TLSv1.2, TLSv1.1]

Does it select the version of TLS based on the sequence?

Hi.
What TLS protocol versions did you specify in elasticsearch.yml? Look for the options searchguard.ssl.http.enabled_protocols and searchguard.ssl.transport.enabled_protocols.

Thank you for the response.

I have not mentioned any of the protocol versions in elasticsearch.yml, and I know I can use that setting to ask elasticsearch/searchguard to use a specific version of TLS.

But over here my question is why the sequence of “Enabled TLS protocols” has changed and if it’s changed what is the preference of selecting a version from the list?

The order of the versions should be not significiant.

The respective RFCs https://tools.ietf.org/html/rfc5246#appendix-E describe that during protocol negotiation the highest version supported by server and client should be selected. Thus, the version determines the priority, not the order of the versions.