Details
-
Suggestion
-
Resolution: Unresolved
-
None
-
None
-
5
-
Description
Technical Summary
- Referring to the Elasticsearch Discussion room (https://discuss.elastic.co/t/enabling-tls-on-5-5-2-how-to-verify/97999), to disable TLS in Elasticsearch, we only need to disable xpack.
- In Bitbucket, we already did that by adding the following configuration elasticsearch.yml;
xpack.security.enabled: false
- Note that if xpack is enabled, we can configure to enable only certain TLS protocols (https://discuss.elastic.co/t/tls-v1-0-has-been-removed-from-default-tls-ssl-protocols/189910)
xpack.security.http.ssl.supported_protocols: [ "TLSv1.2", "TLSv1.1", "TLSv1" ]
- My testing shows that Elasticsearch with Buckler has all TLS protocols enabled
Step to reproduce:
- Install remote Elasticsearch based on Bitbucket KB https://confluence.atlassian.com/bitbucketserver/how-to-install-and-configure-a-remote-elasticsearch-instance-815577748.html
- Secure the Elasticsearch with buckler.yml
- Make sure Elasticsearch is running successfully and accessible from https
- Open terminal, type the following (192.168.1.107 is my IP address, modify accordingly):
marini@marini-VirtualBox:~$ nmap --script ssl-enum-ciphers -p 9200 192.168.1.107 -Pn Starting Nmap 7.60 ( https://nmap.org ) at 2020-03-31 14:04 +08 Nmap scan report for 192.168.1.107 Host is up (0.00071s latency).PORT STATE SERVICE 9200/tcp open wap-wsp | ssl-enum-ciphers: | TLSv1.0: | ciphers: | TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 1024) - A | TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 1024) - A | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A | TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A | TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A | compressors: | NULL | cipher preference: client | warnings: | Key exchange (dh 1024) of lower strength than certificate key | TLSv1.1: | ciphers: | TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 1024) - A | TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 1024) - A | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A | TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A | TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A | compressors: | NULL | cipher preference: client | warnings: | Key exchange (dh 1024) of lower strength than certificate key | TLSv1.2: | ciphers: | TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 1024) - A | TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (dh 1024) - A | TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 1024) - A | TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 1024) - A | TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (dh 1024) - A | TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 1024) - A | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1) - A | TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp256r1) - A | TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A | TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A | TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A | TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A | TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A | TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A | TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A | compressors: | NULL | cipher preference: client | warnings: | Key exchange (dh 1024) of lower strength than certificate key |_ least strength: ANmap done: 1 IP address (1 host up) scanned in 0.66 seconds
- We can see that TLSv1.0, TLSv1.1, and TLSv1.2, all are enabled in Elasticsearch
- In this scenario, the customer could not find a way to disable TLS protocols when running Elasticsearch with buckler.yml. On the Elasticsearch side, it is, by right, already disabled
- The customer found a workaround by disabling certain TLS protocols from JDK
Attachments
Issue Links
- causes
-
PS-60711 Loading...