LS 2.4.0 beats SSL plugin: unsupported ciphersuite

Elastic Stack Logstash
1

Hi,

I recently updated from LS 2.3.4 to 2.4.0 and found my beats plugin not working anymore.

My LS config for the input plugin looks like:

  beats {
    port => 12344
    ssl => true
    ssl_certificate => "/etc/logstash/logstash.crt"
    ssl_key => "/etc/logstash/logstash.key"
    ssl_certificate_authorities => [ "/etc/logstash/logstash-ca.crt" ]
    ssl_verify_mode => "force_peer"
    type => "logs"
  }

The private key is converted to pkcs8 format.

Filebeat 1.3.1 is installed, and my filebeat config looks like:

filebeat:
  spool_size: 2048
  idle_timeout: 5s
  registry_file: ".filebeat"
  publish_async: false
  config_dir: "/etc/filebeat/conf.d"
output:
  logstash:
    hosts:
    - logstash:12344
    index: logstash
    tls:
      certificate_authorities:
      - "/etc/filebeat/ca.pem"
      certificate: "/etc/filebeat/logstash.pem"
      certificate_key: "/filebeat/logstash.pem"
      min_version: '1.2'

LS itself starts up fine, but when the filebeat agent connects I get the following message in the LS logs:

{:timestamp=>"2016-10-24T11:11:48.384000+0200", :message=>"Looks like you either have an invalid key or your private key was not in PKCS8 format.", :exception=>java.lang.IllegalArgumentException: Unsupported ciphersuite TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA38, :level=>:error}

downgrading to LS 2.3.4 without any config change, filebeat has no problem to connect to LS and works as expected.

I'm on a recent OpenBSD amd64 6.0-snapshot, LS runs with Java jdk-1.8.0.72p1.
Wading through java docs, I found that the TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 cipher suite is only available with jdk-1.8.0, and only for TLS1.2, that's why I forced filebeat to use TLS1.2.

Reading up on: https://www.elastic.co/guide/en/beats/filebeat/current/configuration-output-tls.html
I even tried to force cipher_suite in filebeat tls config:

tls:
  cipher_suites:
    - 'ECDHE-RSA-AES-128-GCM-SHA256'

Then LS still throws error about TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA38

One thing I wonder is about the ciphersuite name from the logs, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA38
sholdn't it be TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 ???

Anything I'm doing wrong? cluebats welcome :wink:

Cheers,
Sebastian