No cipher suites in common

Hello Elastic Community,

I am facing an issue after configuring custom cipher suites for the TCP input plugin in Logstash.

Below is my configuration:

tcp{
    port => 6515
    type => syslog
    dns_reverse_lookup_enabled => false
    codec => syslog
    ssl_enable => true
    ssl_verify => false
    ssl_cert => "C:\Certificates\publickey.crt"
    ssl_key => "C:\Certificates\privatekey.key"
    ssl_key_passphrase => "abcd@1234"
    ssl_cipher_suites => [
        "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
        "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",
        "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
        "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
        "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
        "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
        "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
        "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
        "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384",
        "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384",
        "TLS_CHACHA20_POLY1305_SHA256",
        "TLS_AES_128_GCM_SHA256",
        "TLS_AES_256_GCM_SHA384"
    ]
    ssl_verify => false
}

This configuration works correctly, but whenever I try to run the following nmap command to list the supported cipher suites:

nmap --script ssl-enum-ciphers -p 6515 localhost

I receive the following error message:

Caused by: javax.net.ssl.SSLHandshakeException: no cipher suites in common
    at sun.security.ssl.Alert.createSSLException(Alert.java:130) ~[?:?]
    at sun.security.ssl.Alert.createSSLException(Alert.java:117) ~[?:?]
    at sun.security.ssl.TransportContext.fatal(TransportContext.java:365) ~[?:?]
    ...
    at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:530) ~[netty-codec-4.

This error appears even if I have not configured custom ssl_cipher_suites. The certificate being used is self-signed.

Could someone help identify the cause of this issue?

Thank you!

Are you saying nmap logs that or logstash logs that? I assume logstash.

The ssl-enum-ciphers scripts connects to the tcp port once for each cipher/compressor it needs to test. It will very likely be testing some ciphers that logstash does not support at which point the TLS negotiation will fail because there are no cipher suites in common. So exception is expected.

To me it is a good thing that it is logged and not suppressed.

1 Like

@Badger How can I verify the list of ciphers I have configured is working namp command is not working here. When ever I try to run the nmap command it acts as clients and shows no common ciphers I think thats the issue.?

I don't think that Java exception is coming from nmap (I don't think nmap is written in Java). I think it is coming from logstash for the reasons I explained.