Interesting. Can you share you filebeat output configuration? Which tool are you using for the analysis? You have a trace of SSL/TLS handshake we can have a look at?
Which JVM are you running logstash with? Exact filebeat version in use (1.2.3?) ?
The TLS version used is somewhat limited by JVM in use. Logstash with Java 7 VM might only support TLS 1.1, not 1.2.
Unfortunately one can not configure the cipher suites in use with logstash, but beats provides some supports cipher_suites setting.
According to https://weakdh.org (See Paper and Recommendations), one should prefer eliptic curve based DH and use a 'strong DH group'.
go already uses elliptic curve Diffie-Hellman (ECDH suites), but no idea about JVM here. The cipher suite mentioned TLS1_CK_DHE_RSA_WITH_AES_128_CBC_SHA is not even defined in go or beats. I guess it's coming from JVM libs.