Mutual tls/ssl on elasticsearch

Elastic Security
21

Server sends

*** CertificateRequest

and client replies with the certificate

*** Certificate chain
chain [0] = [
[
  Version: V3
  Subject: CN=instance
  Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11
  ....

and server trusts it

***
Found trusted certificate:

That shows that your client is still sending the certificate so we should focus on this.

I unfortunately have no other ideas about winSSL/schannel and why it automatically picks up the certificate, or how you'd stop it from doing so.

22

It cannot be cookies, since I tried different clients, like command prompt, as well as IE and Chrome in private mode. Am I right?

23

It seems that you are right. WinSSL indeed sends client certificate automatically.


Unfortunately CURL did not fix it yet: (15.3 Add option to disable client certificate auto-send)

Thank you and your colleague for fast and comprehensive responses. Such high level of professional support is not at all obvious in itself.

Have a nice day :slightly_smiling_face:

24

Daniel, you might look at Testing TLS/SSL secured elastic cluster
Ii is about setup/configuration ES-7.8.0 fully x-pack secured cluster on RHEL with TLS/SSL on transport and http layers and tested it successfully with CURL and simple java client based on JEST API.

25

Thank you very much, Vadim. Appreciate your help.

26

Just for clarity: Although Vadim's setup is definitely a good reference, the problem that Daniel has here is that CURL in his environment ( Windows ) is automatically sending client certificates even when it's not asked to, and unfortunately no amount of configuration on elasticsearch's side can fix that.

27

By the way. If instead of CURL you use web browser like IE or Chrome, everything works fine. You are prompted by the browser to select certificate for authentication of yourself to ES server and after that SSL handshake including verification of ES server DNS succeeds without any problems.