Provide an option to disable certain TLS protocols in remote Elasticsearch with buckler.yml

XMLWordPrintable

    • 6
    • 4

      Technical Summary

      1. Referring to the Elasticsearch Discussion room (https://discuss.elastic.co/t/enabling-tls-on-5-5-2-how-to-verify/97999), to disable TLS in Elasticsearch, we only need to disable xpack.
      2. In Bitbucket, we already did that by adding the following configuration elasticsearch.yml; 
        xpack.security.enabled: false
      3. Note that if xpack is enabled, we can configure to enable only certain TLS protocols (https://discuss.elastic.co/t/tls-v1-0-has-been-removed-from-default-tls-ssl-protocols/189910) 
        xpack.security.http.ssl.supported_protocols: [ "TLSv1.2", "TLSv1.1", "TLSv1" ]
      4. My testing shows that Elasticsearch with Buckler has all TLS protocols enabled

      Step to reproduce:

      1. Install remote Elasticsearch based on Bitbucket KB https://confluence.atlassian.com/bitbucketserver/how-to-install-and-configure-a-remote-elasticsearch-instance-815577748.html
      2. Secure the Elasticsearch with buckler.yml
      3. Make sure Elasticsearch is running successfully and accessible from https
      4. Open terminal, type the following (192.168.1.107 is my IP address, modify accordingly): 
        marini@marini-VirtualBox:~$ nmap --script ssl-enum-ciphers -p 9200 192.168.1.107 -Pn
Starting Nmap 7.60 ( https://nmap.org ) at 2020-03-31 14:04 +08
Nmap scan report for 192.168.1.107
Host is up (0.00071s latency).PORT     STATE SERVICE
9200/tcp open  wap-wsp
| ssl-enum-ciphers: 
|   TLSv1.0: 
|     ciphers: 
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 1024) - A
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 1024) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|     compressors: 
|       NULL
|     cipher preference: client
|     warnings: 
|       Key exchange (dh 1024) of lower strength than certificate key
|   TLSv1.1: 
|     ciphers: 
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 1024) - A
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 1024) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|     compressors: 
|       NULL
|     cipher preference: client
|     warnings: 
|       Key exchange (dh 1024) of lower strength than certificate key
|   TLSv1.2: 
|     ciphers: 
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 1024) - A
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (dh 1024) - A
|       TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 1024) - A
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 1024) - A
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (dh 1024) - A
|       TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 1024) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A
|       TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
|     compressors: 
|       NULL
|     cipher preference: client
|     warnings: 
|       Key exchange (dh 1024) of lower strength than certificate key
|_  least strength: ANmap done: 1 IP address (1 host up) scanned in 0.66 seconds
      5. We can see that TLSv1.0, TLSv1.1, and TLSv1.2, all are enabled in Elasticsearch
      6. In this scenario, the customer could not find a way to disable TLS protocols when running Elasticsearch with buckler.yml. On the Elasticsearch side, it is, by right, already disabled
      7. The customer found a workaround by disabling certain TLS protocols from JDK

            Assignee:
            Unassigned
            Reporter:
            Marini Marini (Inactive)
            Votes:
            3 Vote for this issue
            Watchers:
            8 Start watching this issue

              Created:
              Updated: