Exception while enabling fips in es7.17

navaneethan · March 4, 2024, 12:57pm

While enabling the fips with the below config param we are facing

xpack.security.fips_mode.enabled: true
xpack.security.authc.password_hashing.algorithm: pbkdf2_10000

xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.client_authentication: required
#xpack.security.transport.ssl.keystore.path: certs/elastic-certificates.p12
#xpack.security.transport.ssl.truststore.path: certs/elastic-certificates.p12

closing connection io.netty.handler.codec.DecoderException: javax.net.ssl.SSLHandshakeException: no cipher suites in common

we also tried the below param addition, but facing the same issue

xpack.security.http.ssl.cipher_suites: ["TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"]

TimV · March 5, 2024, 4:45am

Which JSSE library are you using?
Have you installed a FIPS certified security provider?

navaneethan · March 5, 2024, 7:10am

Hi @TimV

We are using FIPS installed OS

ua status
SERVICE          ENTITLED  STATUS       DESCRIPTION
anbox-cloud      yes       disabled     Scalable Android in the cloud
esm-apps         yes       enabled      Expanded Security Maintenance for Applications
esm-infra        yes       enabled      Expanded Security Maintenance for Infrastructure
fips             yes       enabled      NIST-certified FIPS crypto packages
fips-updates     yes       disabled     FIPS compliant crypto packages with stable security updates
usg              yes       disabled     Security compliance and audit tools

For a list of all Ubuntu Pro services, run 'pro status --all'
Enable services with: pro enable <service>

                Account: pre-profit-fedramp
           Subscription: pre-profit-fedramp
            Valid until: Thu Dec 30 16:00:00 9999 PST
Technical support level: essential

cat /proc/sys/crypto/fips_enabled
1

we are using

java -version
java version "1.8.0_131"
Java(TM) SE Runtime Environment (build 1.8.0_131-b11)
Java HotSpot(TM) 64-Bit Server VM (build 25.131-b11, mixed mode)

navaneethan · March 5, 2024, 11:10am

Hi @dadoonet and @DavidTurner could you please help us on this

dadoonet · March 5, 2024, 11:22am

Please be patient in waiting for responses to your question and refrain from pinging multiple times asking for a response or opening multiple topics for the same question. This is a community forum, it may take time for someone to reply to your question. For more information please refer to the Community Code of Conduct specifically the section "Be patient". Also, please refrain from pinging folks directly, this is a forum and anyone that participates might be able to assist you.

If you are in need of a service with an SLA that covers response times for questions then you may want to consider talking to us about a subscription.

It's fine to answer on your own thread after 2 or 3 days (not including weekends) if you don't have an answer.

TimV · March 6, 2024, 12:07am

From what you've shown it doesn't look like your Java SDK is configured for FIPS, but I don't know exactly what Ubuntu might be doing under the covers.

My guess is that Ubuntu's JDK packages for FIPS are configured to use non-default settings and have disable certain TLS ciphers.

Elasticsearch's FIPS mode officially only supports running on the Oracle JDK with Bouncy Castle FIPS

FIPS 140-2 mode requires Oracle JDK 11 and the Bouncy Castle BCJSSE FIPS security provider

I suspect your issues are coming from using a different FIPS-enabled JDK.

navaneethan · March 21, 2024, 11:51am

Hi @TimV

For enabling the fips mode, is it mandatory to go oracle jdk 11 or any other open jdk as per the support matrix

TimV · March 21, 2024, 11:37pm

If you want support, then you need to stick to what is listed on the support matrix.

system · April 18, 2024, 11:37pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.