Setting cipher suite is possible using xpack.security.transport.ssl.cipher_suites, for example:
xpack.security.transport.ssl.cipher_suites: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
but there appears to be no setting to control the elliptic curve used for ephemeral Diffie–Hellman exchange. Is that correct or I am missing something?
Hello,
As far as I know, there is no way in JSSE to set the preferred values for the supported_groups extension that is used in the TLS 1.3 ( or elliptic_curves as it used to be called in TLS 1.2 ) handshake to denote this.
You can probably set this as a JVM property in jvm.properties using the jdk.tls.namedGroups system property that is available since 8u21. Note that setting this will not only affect ECDHE but also ECDSA too.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.