Search
Close this search box.

Control Cipher Suites for Stronger Encryption in Elasticsearch

Table of Contents

18+ Secrets from Elasticsearch Golden Contributor no shadow

FREE course

This FREE tutorial is part of the video course 18+ Secrets From Elasticsearch Golden Contributor where I am giving you best tips and tricks about ELK stack that I have collected during my professional carrier. Check it out in Course tab.

1. Introduction

With TLS 1.3 only 5 cipher suites are officially supported.

				
					TLS_AES_128_GCM_SHA256
TLS_AES_256_GCM_SHA384
TLS_CHACHA20_POLY1305_SHA256
TLS_AES_128_CCM_SHA256
TLS_AES_128_CCM_8_SHA256

Imagine You want block ciphers for TLS 1.3 other than
TLS_AES_256_GCM_SHA384

for client and inter-node communication. Let me show you how to do it.

2. Start Elasticsearch

Download zip package with project. Unpack it. You should see the structure:

 

				
					elk3nodes-ipv4
    - compose.yml
    - env_variables.sh
    - elasticsearch-certutil-instances
        - elasticsearch-certutil-instances.yml
    - elkConfig01
        - elasticsearch.yml
    - stop_docker_compose_cluster.sh
    - start_docker_compose_cluster.sh

Go inside catalog elk3nodes-ipv4 and execute.

				
					./start_docker_compose_cluster.sh

wait to see below entries in logs

				
					installation_container-1  | Elasticsearch cluster started with status green
installation_container-1 exited with code 0

3. Check current cipher suite

3.1. Check JVM version

Cipher suite is dependent from JVM. First step you do is to check what java runtime environment is hosting Elasticsearch.

				
					curl -XGET "https://localhost:9200/_nodes/jvm?filter_path=nodes.*.jvm.vm_name,nodes.*.jvm.vm_vendor,nodes.*.jvm.version,nodes.*.jvm.vm_version&pretty" -u elastic:123456 -k

example response:

				
					{
 "nodes" : {
  "S1LhuBf6TY2zc6rZm21OXQ" : {
     "jvm" : {
        "version" : "22.0.1",
        "vm_name" : "OpenJDK 64-Bit Server VM",
        "vm_version" : "22.0.1+8-16",
        "vm_vendor" : "Oracle Corporation"
     }
  }
 }
}

3.2. Connect via OpenSSL

Now if you make connection without changing any ciphers configuration it will look like

				
					docker cp elastic-three-nodes-cluster-dockercompose-ip4-es01-1:/usr/share/elasticsearch/config/certs/ca/ca.crt ./http_ca.crt

openssl s_client -CAfile ./http_ca.crt -connect localhost:9200

You will see in stdout log

				
					Post-Handshake New Session Ticket arrived:
SSL-Session:
  Protocol : TLSv1.3
  Cipher  : TLS_AES_256_GCM_SHA384

If you want to use other cipher suite you can try

Using TLS 1.3 with TLS_AES_128_GCM_SHA256

				
					curl --tls13-ciphers "TLS_AES_128_GCM_SHA256" -XGET "https://localhost:9200/_cluster/health?pretty" -u elastic:123456 -k -vv

Using TLS 1.3 with TLS_CHACHA20_POLY1305_SHA256

				
					curl --tls13-ciphers "TLS_CHACHA20_POLY1305_SHA256" -XGET "https://localhost:9200/_cluster/health?pretty" -u elastic:123456 -k -vv

Using TLS 1.2 with ECDHE-RSA-AES256-GCM-SHA384

				
					curl --tlsv1.2 --tls-max 1.2 --ciphers "ECDHE-RSA-AES256-GCM-SHA384" -XGET "https://localhost:9200/_cluster/health?pretty" -u elastic:123456 -k -vv

4. Enforce specific ciphers

Open up configuration file elkConfig01/elasticsearch.yml
On the bottom page you can see commented out settings for cipher_suites, you can keep them as reference and place below them new settings

				
					xpack.security.http.ssl.cipher_suites: [
  "TLS_AES_256_GCM_SHA384"
]

xpack.security.transport.ssl.cipher_suites: [
  "TLS_AES_256_GCM_SHA384"
]
  • xpack.security.http.ssl.cipher_suites: Controls cipher suites for HTTPS communication (client to Elasticsearch).
  • xpack.security.transport.ssl.cipher_suites: Controls cipher suites for internal cluster communication (node to node).

Save the file.

4.1. Start ELK with new options

Run below commands to restart Elastic

				
					./stop_docker_compose_cluster.sh
./start_docker_compose_cluster.sh

Connect with client

				
					docker cp elastic-three-nodes-cluster-dockercompose-ip4-es01-1:/usr/share/elasticsearch/config/certs/ca/ca.crt ./http_ca.crt

openssl s_client -CAfile ./http_ca.crt -connect localhost:9200

you will see in logs

				
					Post-Handshake New Session Ticket arrived:
SSL-Session:
  Protocol : TLSv1.3
  Cipher  : TLS_AES_256_GCM_SHA384

4.2. Connection with unsupported cipher

But now if you try to make a connection using unsupported ciphers suite you will see an error

				
					curl --tls13-ciphers "TLS_CHACHA20_POLY1305_SHA256" -XGET "https://localhost:9200/_cluster/health?pretty" -u elastic:123456 --cacert ./http_ca.crt

# or with OpenSSL
openssl s_client -CAfile ./http_ca.crt -tls1_3 -ciphersuites 'TLS_CHACHA20_POLY1305_SHA256' -connect localhost:9200

error

				
					# with OpenSSL
40CFD10002000000:error:0A000410:SSL routines:ssl3_read_bytes:ssl/tls alert handshake failure:ssl/record/rec_layer_s3.c:861:SSL alert number 40

# with curl
curl: (35) OpenSSL/3.2.0: error:0A000410:SSL routines::ssl/tls alert handshake failure

5. Summary

As you can see after applying changes to configuration YAML file it is not possible to connect with client using less secure ciphers. This made your cluster more secure.

FREE course

This FREE tutorial is part of the video course 18+ Secrets From Elasticsearch Golden Contributor where I am giving you best tips and tricks about ELK stack that I have collected during my professional carrier. Check it out in Course tab.

18+ Secrets from Elasticsearch Golden Contributor no shadow

Help toughcoding

If this article help you somehow please share with your friends and consider saying me "Thank you". Small gesture for You but big for Us.
Say Thank You!

Leave a Reply

Your email address will not be published. Required fields are marked *

Follow me on LinkedIn
Share the Post:
Download content
  • Get e-book for free
  • Get docker compose project for free
  • Stay updated for new content

Enjoy Free Useful Amazing Content

Related Posts