LS 2.4.0 beats SSL plugin: unsupported ciphersuite

buzzdeee · October 25, 2016, 7:56am

Hi,

I recently updated from LS 2.3.4 to 2.4.0 and found my beats plugin not working anymore.

My LS config for the input plugin looks like:

  beats {
    port => 12344
    ssl => true
    ssl_certificate => "/etc/logstash/logstash.crt"
    ssl_key => "/etc/logstash/logstash.key"
    ssl_certificate_authorities => [ "/etc/logstash/logstash-ca.crt" ]
    ssl_verify_mode => "force_peer"
    type => "logs"
  }

The private key is converted to pkcs8 format.

Filebeat 1.3.1 is installed, and my filebeat config looks like:

filebeat:
  spool_size: 2048
  idle_timeout: 5s
  registry_file: ".filebeat"
  publish_async: false
  config_dir: "/etc/filebeat/conf.d"
output:
  logstash:
    hosts:
    - logstash:12344
    index: logstash
    tls:
      certificate_authorities:
      - "/etc/filebeat/ca.pem"
      certificate: "/etc/filebeat/logstash.pem"
      certificate_key: "/filebeat/logstash.pem"
      min_version: '1.2'

LS itself starts up fine, but when the filebeat agent connects I get the following message in the LS logs:

{:timestamp=>"2016-10-24T11:11:48.384000+0200", :message=>"Looks like you either have an invalid key or your private key was not in PKCS8 format.", :exception=>java.lang.IllegalArgumentException: Unsupported ciphersuite TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA38, :level=>:error}

downgrading to LS 2.3.4 without any config change, filebeat has no problem to connect to LS and works as expected.

I'm on a recent OpenBSD amd64 6.0-snapshot, LS runs with Java jdk-1.8.0.72p1.
Wading through java docs, I found that the TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 cipher suite is only available with jdk-1.8.0, and only for TLS1.2, that's why I forced filebeat to use TLS1.2.

Reading up on: https://www.elastic.co/guide/en/beats/filebeat/current/configuration-output-tls.html
I even tried to force cipher_suite in filebeat tls config:

tls:
  cipher_suites:
    - 'ECDHE-RSA-AES-128-GCM-SHA256'

Then LS still throws error about TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA38

One thing I wonder is about the ciphersuite name from the logs, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA38
sholdn't it be TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 ???

Anything I'm doing wrong? cluebats welcome

Cheers,
Sebastian

Topic		Replies	Views
LS 2.3 -> 5.0 TLS trouble, PKCS#8 and cipher_suites Logstash	1	1155	December 26, 2016
Ssl connection between Filebeat and Logstash Logstash	1	684	May 17, 2017
Beats input plugin cannot read password protected ssl key Logstash	3	729	July 19, 2019
Logstash SSL File does not contain a valid private key with Beats Logstash	2	10649	April 17, 2019
Configuring cipher_suites works but ssl.cipher_suites not working Beats filebeat	0	122	May 28, 2024

LS 2.4.0 beats SSL plugin: unsupported ciphersuite

Related topics