The sequence of TLS Version protocols are different

Hi,

I am curious to know the reason for the different sequence of the TLS Version when we start the elasticsearch. Following is the output for two different versions,

6.3.1:
[INFO ][c.f.s.s.DefaultSearchGuardKeyStore] TLS Transport Client Provider : JDK
[INFO ][c.f.s.s.DefaultSearchGuardKeyStore] TLS Transport Server Provider : JDK
[INFO ][c.f.s.s.DefaultSearchGuardKeyStore] TLS HTTP Provider : JDK
[INFO ][c.f.s.s.DefaultSearchGuardKeyStore] Enabled TLS protocols for transport layer : [TLSv1.1, TLSv1.2]
[INFO ][c.f.s.s.DefaultSearchGuardKeyStore] Enabled TLS protocols for HTTP layer : [TLSv1.1, TLSv1.2]

7.7.1
[INFO ][c.f.s.s.DefaultSearchGuardKeyStore] [CAD206] TLS Transport Client Provider : JDK
[INFO ][c.f.s.s.DefaultSearchGuardKeyStore] [CAD206] TLS Transport Server Provider : JDK
[INFO ][c.f.s.s.DefaultSearchGuardKeyStore] [CAD206] TLS HTTP Provider : JDK
[INFO ][c.f.s.s.DefaultSearchGuardKeyStore] [CAD206] Enabled TLS protocols for transport layer : [TLSv1.3, TLSv1.2, TLSv1.1]
[INFO ][c.f.s.s.DefaultSearchGuardKeyStore] [CAD206] Enabled TLS protocols for HTTP layer : [TLSv1.3, TLSv1.2, TLSv1.1]

Does it select the version of TLS based on the sequence?

Hi.
What TLS protocol versions did you specify in elasticsearch.yml? Look for the options searchguard.ssl.http.enabled_protocols and searchguard.ssl.transport.enabled_protocols.

Thank you for the response.

I have not mentioned any of the protocol versions in elasticsearch.yml, and I know I can use that setting to ask elasticsearch/searchguard to use a specific version of TLS.

But over here my question is why the sequence of “Enabled TLS protocols” has changed and if it’s changed what is the preference of selecting a version from the list?

The order of the versions should be not significiant.

The respective RFCs https://tools.ietf.org/html/rfc5246#appendix-E describe that during protocol negotiation the highest version supported by server and client should be selected. Thus, the version determines the priority, not the order of the versions.

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.