TLSv1.3 is not working

Search Guard
1

Elasticsearch version: 7.7.1

Server OS version: Windows 10

Describe the issue: TLSv1.3 are not accepted by the server

Steps to reproduce:

  1. Enabled the TLSv1.3 as following in elasticsearch.yml,
searchguard.ssl.http.enabled_protocols: ["TLSv1.3"]
searchguard.ssl.transport.enabled_protocols: ["TLSv1.3"]
  1. Restart the service
  2. Sent the request from the postman, disabling TLSv1.3.
  3. Got the following error,

[2021-04-12T11:39:21,905][WARN ][o.e.h.AbstractHttpServerTransport] [cad206.corp.soti.net] caught exception while handling client http traffic, closing connection Netty4HttpChannel{localAddress=0.0.0.0/0.0.0.0:9200, remoteAddress=null}
io.netty.handler.codec.DecoderException: javax.net.ssl.SSLHandshakeException: The client supported protocol versions [TLSv1.3] are not accepted by server preferences [TLS12]


Caused by: javax.net.ssl.SSLHandshakeException: The client supported protocol versions [TLSv1.3] are not accepted by server preferences [TLS12]

Additional data:
I have checked on the Windows registry and I don’t have any,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols]

So the question is If I don’t have any specific entry in the registry, especially specific to enable/disable the TLS version, I should not have this error.

I should be able to see the proper communication.

Let me know If I am making any mistake or if you need more details.

2

Hi @chintushah46

Just checked and TLSv1.3 is not supported in ES 7.7.1.
TLSv1.3 was introduced in ES 7.11

In this case the reported error is valid.

3

Thank you @pablo for the response as well as for validating the root cause of the error.
Appreciated your efforts.

1 Like
4

@chintushah46

I’ve done some further testing and found that the lack of support for TLSv1.3 in 7.7.1 regards Kibana and not ES.
I’ve also got your config working with only TLSv1.3 enabled in Search Guard 42.1.0 (ES 7.7.1).

image
image556×911 32.6 KB

image
image1943×115 12.2 KB

You’ve stated in steps the following: “Sent the request from the postman, disabling TLSv1.3.”
Does that mean you’ve disabled TLSv1.3 in Postamn? If yes, could you share how as I couldn’t find that option? Otherwise, what was the request?

The provided error states that client (I assume it is postman) has TLSv1.3 enabled and the server expects TLSv1.2.
Based on that it seems that Postman is still using only TLSv1.3 to communicate with Searchguard on ES and Searchguard has still only TLSv1.2 enabled.

5

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.