Sorry if my post wasn't clear but we're using Elastic's hosted Elasticsearch Service (8.4.1), so JVM/Open SSL etc are beyond my reach, Elastic hosts and manages those bits.
The App Search (aka Enterprise Search) endpoint I'm referring to is what is automatically created by Elastic Cloud and is what we copy from the deployment details. We are using the latest Search UI in headless mode since we do not use React. Our integration takes the user's search input and fires off the search request using headless Search UI (configured with the endpoint and Public Search Key).
This works flawlessly for everyone except for at least one user who is in a restricted health care setting, who instead gets the basic HTTP auth dialog due to something being blocked or manipulated by their IT department's restrictions.
Usually the browser will give you these prompts if it receives a 401 error with a header like WWW-Authenticate: Basic
. App Search should not be doing that, so I expect your end user is actually hitting something else.
Ah, the IT department did share a screen shot where they were in fact getting the 401 error in the browser's developer console. Again, I don't know specifically what their IT team has done to lock down browsers, they just provided a brief summary that said:
the site does not pass our SSL inspection controls which we have enforced to monitor PHI being transmitted, thus resulting in the strange prompt for credentials the vendor’s site service with AWS as shown in the screenshot below
This seems to suggest they are somehow blocking Search UI from submitting the Public Search Key, which causes a 401. I just tested this and set the searchKey = '' and this does trigger the 401 but I still cannot reproduce how they are getting the HTTP auth prompt. EDIT: the HTTP auth dialog is shown by Chrome, my Firefox does not do this.
Reading a bit about forward secrecy, I don't expect that is something that we have on our roadmap to support. If you have a support relationship with Elastic, you may file an Enhancement Request for this feature.
Any specific reason why not? It looks like TLS_ECDHE_ECDSA*
is supported by JDK but I have no idea how the endpoints are configured when hosted by Elastic on Amazon, other than that the endpoint is using a Let's Encrypt generated certificate. It seems this will be an issue for anyone that is subject to 3rd party audits or doing B2B sites with clients in a health care or other restricted setting. If this is a hard "no" from Elastic, that's unfortunate since that only leaves your customers with options ranging from running a proxy to self-hosting. It would be far preferable to be able to have these endpoints use the latest and greatest cipher suites.