Is there any special settings for disabling TLSv1.1 from the elasticsearch?

Hello,

I'm trying to disable TLSv1.1 from the supported ssl protocol.
I referenced THIS GUIDE, and change 'xpack.security.transport.ssl.supported_protocols' as follow

apiVersion: elasticsearch.k8s.elastic.co/v1
kind: Elasticsearch
metadata:
  name: quickstart
spec:
  http:
    service:
      spec:
        type: LoadBalancer
    tls:
      certificate:
        secretName: <my cert>
  version: 7.6.2
  nodeSets:
    - name: node
      count: 1
      config:
        node.master: true
        node.ingest: true
        node.data: true
        node.store.allow_mmap: true
        xpack.security.authc.realms.native.native1.order: -99
        xpack.security.transport.ssl.supported_protocols: TLSv1.2
      podTemplate:
        metadata:
          labels:
            name: node
          annotations:
            "co.elastic.logs/module": elasticsearch
            "co.elastic.metrics/module": elasticsearch
            "co.elastic.metrics/period": "10s"
            "co.elastic.metrics/hosts": "${data.host}:80"
        spec:
          initContainers:
            - name: sysctl
              securityContext:
                privileged: true
              command: ['sh', '-c', 'sysctl -w vm.max_map_count=262144']
          containers:
            - name: elasticsearch
              resources:
                requests:
                  memory: 4Gi
                  cpu: 1
                limits:
                  memory: 4Gi
                  cpu: 1
              env:
                - name: ES_JAVA_OPTS
                  value: "-Xms2g -Xmx2g"
      volumeClaimTemplates:
        - metadata:
            name: elasticsearch-data
          spec:
            accessModes:
              - ReadWriteOnce
            resources:
              requests:
                storage: 200Gi
            storageClassName: standard

I checked whether this setting is correctly applied to the Elasticsearch pod, and it was correctly applied as follow.

image953×251 34.3 KB

However, when I check with nmap, TLSv1.1 is still enabled.

> nmap --script ssl-enum-ciphers.nse <my elasticsearch domain> -p 9200 -Pn
Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-21 18:36 KST
Nmap scan report for <my elasticsearch domain> (<my elasticsearch ip>)
Host is up (0.0064s latency).
rDNS record for <my elasticsearch ip>: 5.238.64.34.bc.googleusercontent.com

PORT     STATE SERVICE
9200/tcp open  wap-wsp
| ssl-enum-ciphers:
|   TLSv1.1:
|     ciphers:
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|     compressors:
|       NULL
|     cipher preference: server
|   TLSv1.2:
|     ciphers:
|       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
|       TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
|       TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|     compressors:
|       NULL
|     cipher preference: server
|_  least strength: A

Nmap done: 1 IP address (1 host up) scanned in 2.02 seconds

Is there anymore settings for my usecase?

You need to set xpack.security.http.ssl.supported_protocols in order to change the protocol used by the HTTP port (port 9200). In your current configuration, you have set the protocol preference for the transport port (9300) only but the test is checking the HTTP port (9200) -- which is different.

Thanks @charith-elastic

It works~!