Problem with cipher in beat input

Elastic Stack Logstash
1

Hello,

I have a problem with the beat input in logstash.
When i starting logstash, the beat input has an error with the cipher.

This is the error in log :
Pipeline aborted due to error {:exception=>#LogStash::ConfigurationError: Cipher TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 is not available>, ...

This my Logstash and java version :

logstash 5.0.2
jruby 1.7.25 (1.9.3p551) 2016-04-13 867cb81 on Java HotSpot(TM) 64-Bit Server VM 1.8.0_77-b02 +jit [linux-amd64]
java 1.8.0_77 (Oracle Corporation)
jvm Java HotSpot(TM) 64-Bit Server VM / 25.77-b02

This is my logstash config :

input {
beats {
port => 5001
host => "X.X.X.X"
type => "log"
ssl => true
ssl_certificate => "/etc/pki/tls/certs/logstash-forwarder.crt
ssl_key => "/etc/pki/tls/private/logstash-forwarder.key"
}
}

I do not understand where the problem comes from.

Do you have an idea?

Thanks.

2

I noticed the same on my host.

I added cipher_suites => [ "ECDHE-RSA-AES256-GCM-SHA384" ] to logstash.conf but get the same error. (logstash 5.0.2)

$ java -version
openjdk version "1.8.0_111-internal"
OpenJDK Runtime Environment (build 1.8.0_111-internal-alpine-r0-b14)
OpenJDK 64-Bit Server VM (build 25.111-b14, mixed mode)

3

Receiving the same error:

Pipeline aborted due to error {:exception=>#<LogStash::ConfigurationError: Cipher `TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384` is not available>...

Versions:

logstash 5.0.2
logstash-input-beats 3.1.12
openjdk version "1.8.0_111"
OpenJDK Runtime Environment (build 1.8.0_111-b15)
OpenJDK 64-Bit Server VM (build 25.111-b15, mixed mode)

Tried lesser cipher suites and had the same error with those.

4

Running logstash in debug mode, I get the following:

[DEBUG][io.netty.handler.ssl.OpenSsl] Failed to load netty-tcnative; OpenSslEngine will be unavailable, unless the application has already loaded the symbols by some other means. See http://netty.io/wiki/forked-tomcat-native.html for more information.
java.lang.IllegalArgumentException: Failed to load any of the given libraries: [netty-tcnative-linux-x86_64, netty-tcnative-linux-x86_64-fedora, netty-tcnative]

I can't seem to find any of those libraries for CentOS 7

5

Had this issue with a system, and found the problem was /tmp was mounted with noexec option.

Removing the noexec option and rebooting fixed the issue on my system.

It looks like logstash puts a copy of the libnetty-tcnative dynamic library so in /tmp and tries to load it from there which the noexec option blocks. Loading code from /tmp seems like a security risks.

EDIT: the code putting the library in TMP is in netty which is used by logstash.

EDIT 2: maybe the tmp path can be made more sane in logstash's jvm.options file by adding a line
-Dio.netty.native.workdir=some path

1 Like
6

Indeed, the /tmp partition with noexec option is the problem.

I have not removed noexec option in /tmp partion for security reason. The solution of jvm.options file is the best solution.

I added the io.netty.native.workdir option in the jvm.options file and the SSL works good now.

Thank you for your help !

1 Like
7

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.