Uploaded image for project: 'Bitbucket Data Center'
  1. Bitbucket Data Center
  2. BSERV-12280

Provide an option to disable certain TLS protocols in remote Elasticsearch with buckler.yml

    XMLWordPrintable

Details

    • 5
    • We collect Bitbucket feedback from various sources, and we evaluate what we've collected when planning our product roadmap. To understand how this piece of feedback will be reviewed, see our Implementation of New Features Policy.

    Description

      Technical Summary

      1. Referring to the Elasticsearch Discussion room (https://discuss.elastic.co/t/enabling-tls-on-5-5-2-how-to-verify/97999), to disable TLS in Elasticsearch, we only need to disable xpack.
      2. In Bitbucket, we already did that by adding the following configuration elasticsearch.yml; 
        xpack.security.enabled: false
      3. Note that if xpack is enabled, we can configure to enable only certain TLS protocols (https://discuss.elastic.co/t/tls-v1-0-has-been-removed-from-default-tls-ssl-protocols/189910) 
        xpack.security.http.ssl.supported_protocols: [ "TLSv1.2", "TLSv1.1", "TLSv1" ]
      4. My testing shows that Elasticsearch with Buckler has all TLS protocols enabled

      Step to reproduce:

      1. Install remote Elasticsearch based on Bitbucket KB https://confluence.atlassian.com/bitbucketserver/how-to-install-and-configure-a-remote-elasticsearch-instance-815577748.html
      2. Secure the Elasticsearch with buckler.yml
      3. Make sure Elasticsearch is running successfully and accessible from https
      4. Open terminal, type the following (192.168.1.107 is my IP address, modify accordingly): 
        marini@marini-VirtualBox:~$ nmap --script ssl-enum-ciphers -p 9200 192.168.1.107 -Pn
Starting Nmap 7.60 ( https://nmap.org ) at 2020-03-31 14:04 +08
Nmap scan report for 192.168.1.107
Host is up (0.00071s latency).PORT     STATE SERVICE
9200/tcp open  wap-wsp
| ssl-enum-ciphers: 
|   TLSv1.0: 
|     ciphers: 
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 1024) - A
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 1024) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|     compressors: 
|       NULL
|     cipher preference: client
|     warnings: 
|       Key exchange (dh 1024) of lower strength than certificate key
|   TLSv1.1: 
|     ciphers: 
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 1024) - A
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 1024) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|     compressors: 
|       NULL
|     cipher preference: client
|     warnings: 
|       Key exchange (dh 1024) of lower strength than certificate key
|   TLSv1.2: 
|     ciphers: 
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 1024) - A
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (dh 1024) - A
|       TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 1024) - A
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 1024) - A
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (dh 1024) - A
|       TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 1024) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A
|       TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
|     compressors: 
|       NULL
|     cipher preference: client
|     warnings: 
|       Key exchange (dh 1024) of lower strength than certificate key
|_  least strength: ANmap done: 1 IP address (1 host up) scanned in 0.66 seconds
      5. We can see that TLSv1.0, TLSv1.1, and TLSv1.2, all are enabled in Elasticsearch
      6. In this scenario, the customer could not find a way to disable TLS protocols when running Elasticsearch with buckler.yml. On the Elasticsearch side, it is, by right, already disabled
      7. The customer found a workaround by disabling certain TLS protocols from JDK

      Attachments

        Issue Links

          causes

          PS-60711 Loading...

          Activity

            People

              Unassigned Unassigned
              mmarini@atlassian.com Marini Marini (Inactive)
              Votes:
              3 Vote for this issue
              Watchers:
              8 Start watching this issue

              Dates

                Created:
                Updated: