Setup Up SSL in elasticsearch error

security

(Chris Wang) #1

i'm following the document to open SSL in one node of elasticsearch cluster.

i got the error message below

"Turn on TLS 1.0, TLS 1.1, and TLS 1.2 in Advanced settings and try connecting to https://x.x.x.x:9200 again. If this error persists, it is possible that this site uses an unsupported protocol or cipher suite such as RC4 (link for the details), which is not considered secure. Please contact your site administrator. "

in fact, i already checked TLS in browser (IE, Chrome)


(Mark Walkom) #2

Are you using Shield?


(Chris Wang) #3

yes, shield pulgin already installed


(Mark Walkom) #4

What version of ES are you running?


(Chris Wang) #5

es 2.1.0


(Jay Modi) #6

@Chris_wang did you get to the bottom of this?

If not, you can use nmap to see what is happening with the ssl enum ciphers script

nmap --script=ssl-enum-ciphers -p 9200 127.0.0.1

Starting Nmap 7.12 ( https://nmap.org ) at 2016-06-07 13:25 EDT
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00033s latency).
PORT     STATE SERVICE
9200/tcp open  wap-wsp
| ssl-enum-ciphers: 
|   TLSv1.0: 
|     ciphers: 
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp160k1) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|     compressors: 
|       NULL
|     cipher preference: client
|     warnings: 
|       Key exchange parameters of lower strength than certificate key
|   TLSv1.1: 
|     ciphers: 
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp160k1) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|     compressors: 
|       NULL
|     cipher preference: client
|     warnings: 
|       Key exchange parameters of lower strength than certificate key
|   TLSv1.2: 
|     ciphers: 
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp160k1) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A
|     compressors: 
|       NULL
|     cipher preference: client
|     warnings: 
|       Key exchange parameters of lower strength than certificate key
|_  least strength: A

(system) #7