No cipher suites in common

Mahesh_Kumar_S · October 1, 2024, 7:05pm

Hello Elastic Community,

I am facing an issue after configuring custom cipher suites for the TCP input plugin in Logstash.

Below is my configuration:

tcp{
    port => 6515
    type => syslog
    dns_reverse_lookup_enabled => false
    codec => syslog
    ssl_enable => true
    ssl_verify => false
    ssl_cert => "C:\Certificates\publickey.crt"
    ssl_key => "C:\Certificates\privatekey.key"
    ssl_key_passphrase => "abcd@1234"
    ssl_cipher_suites => [
        "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
        "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",
        "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
        "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
        "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
        "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
        "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
        "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
        "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384",
        "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384",
        "TLS_CHACHA20_POLY1305_SHA256",
        "TLS_AES_128_GCM_SHA256",
        "TLS_AES_256_GCM_SHA384"
    ]
    ssl_verify => false
}

This configuration works correctly, but whenever I try to run the following nmap command to list the supported cipher suites:

nmap --script ssl-enum-ciphers -p 6515 localhost

I receive the following error message:

Caused by: javax.net.ssl.SSLHandshakeException: no cipher suites in common
    at sun.security.ssl.Alert.createSSLException(Alert.java:130) ~[?:?]
    at sun.security.ssl.Alert.createSSLException(Alert.java:117) ~[?:?]
    at sun.security.ssl.TransportContext.fatal(TransportContext.java:365) ~[?:?]
    ...
    at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:530) ~[netty-codec-4.

This error appears even if I have not configured custom ssl_cipher_suites. The certificate being used is self-signed.

Could someone help identify the cause of this issue?

Thank you!

Badger · October 1, 2024, 8:06pm

Are you saying nmap logs that or logstash logs that? I assume logstash.

The ssl-enum-ciphers scripts connects to the tcp port once for each cipher/compressor it needs to test. It will very likely be testing some ciphers that logstash does not support at which point the TLS negotiation will fail because there are no cipher suites in common. So exception is expected.

To me it is a good thing that it is logged and not suppressed.

Mahesh_Kumar_S · October 3, 2024, 9:16am

@Badger How can I verify the list of ciphers I have configured is working namp command is not working here. When ever I try to run the nmap command it acts as clients and shows no common ciphers I think thats the issue.?

Badger · October 4, 2024, 2:48am

I don't think that Java exception is coming from nmap (I don't think nmap is written in Java). I think it is coming from logstash for the reasons I explained.

Topic		Replies	Views
Custom TCP integration with TLS Logstash	5	161	January 16, 2024
[Logstash] SSL TCP input certificate issue Logstash	2	397	April 20, 2023
Logstash TLS with x-pack error registering plugin (Cipher is not available) 6.x Logstash	8	2525	April 5, 2018
Configuring both TLS 1.2 and TLS 1.3 in Logstash 8.8 Logstash	2	615	November 30, 2023
Problem with cipher in beat input Logstash	6	4768	January 12, 2017

No cipher suites in common

Related Topics