I am trying to limit communication to my ES cluster to TLSv1.2. When I set the enabled protocol for the transport layer it works no problem. When I do the same thing for the http layer nothing happens and I get a note in the ES log informing me it has enabled both TLSv1.1 and TLSv1.2. I have also tried limiting the ciphers using searchguard.ssl.http.enabled_ciphers to
- "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384"
- "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384"
- "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384"
- "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384"
- "TLS_DHE_DSS_WITH_AES_256_CBC_SHA256"
- "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256"
- "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256"
- "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256"
- "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256"
- "TLS_DHE_DSS_WITH_AES_128_CBC_SHA256"
- "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"
- "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"
- "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"
- "TLS_RSA_WITH_AES_256_GCM_SHA384"
- "TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384"
- "TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384"
- "TLS_DHE_DSS_WITH_AES_256_GCM_SHA384"
- "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"
- "TLS_RSA_WITH_AES_128_GCM_SHA256"
- "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256"
- "TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256"
- "TLS_DHE_DSS_WITH_AES_128_GCM_SHA256"
- "TLS_EMPTY_RENEGOTIATION_INFO_SCSVF"
but was able to connect with ECDHE-RSA-AES128-SHA.
Is the configuration honored for the http layer? Do I need to run SGAdmin.bat again? I didn't seem to need to for the transport layer.
When asking questions, please provide the following information:
* Search Guard and Elasticsearch version: ES 6.1.1 and SearchGuard 6.1.1-25
* Installed and used enterprise modules, if any - None
* JVM version and operating system version - 1.8.144 on windows
* Search Guard configuration files
searchguard.ssl.http.enabled_protocols:
- "TLSv1.2"
* Elasticsearch log messages on debug level
* Other installed Elasticsearch or Kibana plugins, if any - None