Logstash: Client requested protocol TLSv1 is not enabled or supported in server context

Elastic Stack Logstash
1

Logstash version 7.17.

Can advise on why this error incessantly appears in the Logstash log, or any steps to figure out why?

[2025-04-22T14:00:00,158][ERROR][logstash.inputs.tcp      ] null:
closing due:
io.netty.handler.codec.DecoderException:
javax.net.ssl.SSLHandshakeException: Client requested protocol TLSv1 is
not enabled or supported in server context
        at
io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:477)
~[netty-all-4.1.65.Final.jar:4.1.65.Final]
        at
io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:276)
~[netty-all-4.1.65.Final.jar:4.1.65.Final]
        at
io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379)
[netty-all-4.1.65.Final.jar:4.1.65.Final]
        at
io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365)
[netty-all-4.1.65.Final.jar:4.1.65.Final]
        at
io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:357)
[netty-all-4.1.65.Final.jar:4.1.65.Final]
        at
io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1410)
[netty-all-4.1.65.Final.jar:4.1.65.Final]
        at
io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379)
[netty-all-4.1.65.Final.jar:4.1.65.Final]
        at
io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365)
[netty-all-4.1.65.Final.jar:4.1.65.Final]
        at
io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:919)
[netty-all-4.1.65.Final.jar:4.1.65.Final]
        at
io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:166)
[netty-all-4.1.65.Final.jar:4.1.65.Final]
        at
io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:719)
[netty-all-4.1.65.Final.jar:4.1.65.Final]
        at
io.netty.channel.nio.NioEventLoop.processSelectedKeysOptimized(NioEventLoop.java:655)
[netty-all-4.1.65.Final.jar:4.1.65.Final]
        at
io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:581)
[netty-all-4.1.65.Final.jar:4.1.65.Final]
        at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:493)
[netty-all-4.1.65.Final.jar:4.1.65.Final]
        at
io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:989)
[netty-all-4.1.65.Final.jar:4.1.65.Final]
        at
io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74)
[netty-all-4.1.65.Final.jar:4.1.65.Final]
        at
io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
[netty-all-4.1.65.Final.jar:4.1.65.Final]
        at java.lang.Thread.run(Thread.java:829) [?:?]
Caused by: javax.net.ssl.SSLHandshakeException: Client requested
protocol TLSv1 is not enabled or supported in server context
        at sun.security.ssl.Alert.createSSLException(Alert.java:131) ~[?:?]
        at sun.security.ssl.Alert.createSSLException(Alert.java:117) ~[?:?]
        at
sun.security.ssl.TransportContext.fatal(TransportContext.java:347) ~[?:?]
        at
sun.security.ssl.TransportContext.fatal(TransportContext.java:303) ~[?:?]
        at
sun.security.ssl.TransportContext.fatal(TransportContext.java:294) ~[?:?]
        at
sun.security.ssl.ClientHello$ClientHelloConsumer.negotiateProtocol(ClientHello.java:872)
~[?:?]
        at
sun.security.ssl.ClientHello$ClientHelloConsumer.onClientHello(ClientHello.java:824)
~[?:?]
        at
sun.security.ssl.ClientHello$ClientHelloConsumer.consume(ClientHello.java:802)
~[?:?]
        at sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:392)
~[?:?]
        at
sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:443) ~[?:?]
        at
sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1076)
~[?:?]
        at
sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1063)
~[?:?]
        at java.security.AccessController.doPrivileged(Native Method) ~[?:?]
        at
sun.security.ssl.SSLEngineImpl$DelegatedTask.run(SSLEngineImpl.java:1010)
~[?:?]
        at
io.netty.handler.ssl.SslHandler.runAllDelegatedTasks(SslHandler.java:1512)
~[netty-all-4.1.65.Final.jar:4.1.65.Final]
        at
io.netty.handler.ssl.SslHandler.runDelegatedTasks(SslHandler.java:1526)
~[netty-all-4.1.65.Final.jar:4.1.65.Final]
        at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1390)
~[netty-all-4.1.65.Final.jar:4.1.65.Final]
        at
io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1234)
~[netty-all-4.1.65.Final.jar:4.1.65.Final]
        at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1280)
~[netty-all-4.1.65.Final.jar:4.1.65.Final]
        at
io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:507)
~[netty-all-4.1.65.Final.jar:4.1.65.Final]
        at
io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:446)
~[netty-all-4.1.65.Final.jar:4.1.65.Final]
        ... 17 more

I have recently, very belatedly, replaced several instances of Logstash
6 with Logstash 7.17. (I know Logstash 7 went EOL last week.) These servers get traffic sent to them via a HA Proxy load balancer and between them accept tens of thousands of events per second from over two thousand sources. Logstash 7 is logging the error above, up to around ~100000 times per hour on each server, and for each occurrence Logstash's Java spews out ~43 lines in that way Java does, which makes logs so large we've had to start rotating them hourly.

The java.security of the openJDK Java used by our Logstash 6 instances contains:

jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, DES, MD5withRSA, \
    DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \
    include jdk.disabled.namedCurves

The java.security of the Java runtime bundled with Logstash 7 contains:

jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, DTLSv1.0, RC4, DES, \
    MD5withRSA, DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \
    include jdk.disabled.namedCurves

So TLSv1 is disabled for both. And yet I cannot find any errors about TLSv1 in the in the logs for Logstash 6.

There is no indication in the log of what connected to a TCP input to cause the error, or which of the many TCP inputs it was. If I enable DEBUG logging then the null in this part of the
error message

[2025-04-22T14:00:00,158][ERROR][logstash.inputs.tcp      ] null:
closing due:
io.netty.handler.codec.DecoderException:
javax.net.ssl.SSLHandshakeException: Client requested protocol TLSv1 is
not enabled or supported in server context

gets replaced with an IP address, but it's always the IP address of the
HA Proxy load balancer so that doesn't help at all. (I can only enable
DEBUG logging for about ten minutes else the log will fill the disk. It is not possible to correlate the errors to anything in HA Proxy logging.)

I have not been able to identify anything that is now unable to send logs since Logstash 6 was replaced with 7 by looking at what logs are being sent before and after,

Example TCP input:

input {
  tcp {
    id => "linux-syslog-10000"
    port => 10000
    host => "0.0.0.0"
    mode => "server"
    add_field => { 
      "[@metadata][team]" => "linux"
      "[@metadata][logtype]" => "syslog"
    }
    ssl_enable => true
    ssl_cert => "/etc/pki/tls/certs/logs.crt"
    ssl_key => "/etc/pki/tls/private/logs.key"
    ssl_verify => false
    codec => line
    
    dns_reverse_lookup_enabled => false
  }
}

There's lots of inputs, but the SSL related parts are the same on all of them.