SSL "wrong version number"

I had a working elasticsearch 7.x with SSL configured.
I upgraded to elasticsearch 8.14 and now whenever I attempt to connect via curl I get an error message from the OpenSSL lib:

# curl -vvv --cacert /etc/elasticsearch/certs/ca/ca.crt -u elastic:PASSWORD https://127.0.0.1:9200
*   Trying 127.0.0.1:9200...
* Connected to 127.0.0.1 (127.0.0.1) port 9200 (#0)
* ALPN: offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
*  CAfile: /etc/elasticsearch/certs/ca/ca.crt
*  CApath: /etc/ssl/certs
* OpenSSL/3.0.13: error:0A00010B:SSL routines::wrong version number
* Closing connection 0
curl: (35) OpenSSL/3.0.13: error:0A00010B:SSL routines::wrong version number
[Exit 35 ]

Debian GNU/Linux 12 (bookworm)
lastest ELK 8.14 from PPA

minor follow-up:
I added --ssl2, --ssl3, --tls-max 1.0, --tls-max 1.1, --tls-max 1.2, and --tls-max 1.3 to the curl call, and the results were always identical. "wrong version number"

What does that error actually mean? Which version number is wrong?

Thanks for reaching out and providing the cURL snippet, @ebates . Can you also provide your elasticsearch node configuration (elasticsearch.yml) ?

Thank you for your time. Here's the YAML:

# File:         elasticsearch/elasticsearch.yml
# Author:       Eric W. Bates
# Date:         Thu Jun  6 20:21:58 2024
# Time-stamp:   <2024-06-12 12:30:48 ericx>
# Description:  main config

# ======================== Elasticsearch Configuration =========================
#
# NOTE: Elasticsearch comes with reasonable defaults for most settings.
#       Before you set out to tweak and tune the configuration, make sure you
#       understand what are you trying to accomplish and the consequences.
#
# The primary way of configuring a node is via this file. This template lists
# the most important settings you may want to configure for a production cluster.
#
# Please consult the documentation for further information on configuration options:
# https://www.elastic.co/guide/en/elasticsearch/reference/index.html
#
# ---------------------------------- Cluster -----------------------------------
#
# Use a descriptive name for your cluster:
#
cluster.name: elastiflow
#
# ------------------------------------ Node ------------------------------------
#
# Use a descriptive name for the node:
#
#node.name: node-1
#
# Add custom attributes to the node:
#
#node.attr.rack: r1
#
# ----------------------------------- Paths ------------------------------------
#
# Path to directory where to store the data (separate multiple locations by comma):
#
#path.data: /var/lib/elasticsearch
path.data: /flow-data
#
# Path to log files:
#
#path.logs: /var/log/elasticsearch
path.logs: /flow-data
#
# ----------------------------------- Memory -----------------------------------
#
# Lock the memory on startup:
#
bootstrap.memory_lock: true
#
# Make sure that the heap size is set to about half the memory available
# on the system and that the owner of the process is allowed to use this
# limit.
#
# Elasticsearch performs poorly when the system is swapping the memory.
#
# ---------------------------------- Network -----------------------------------
#
# By default Elasticsearch is only accessible on localhost. Set a different
# address here to expose this node on the network:
#
#network.host: 192.168.0.1
network.host: 0.0.0.0
#
# By default Elasticsearch listens for HTTP traffic on the first free port it
# finds starting at 9200. Set a specific HTTP port here:
#
http.port: 9200
#
# For more information, consult the network module documentation.
#
# --------------------------------- Discovery ----------------------------------
#
# Pass an initial list of hosts to perform discovery when this node is started:
# The default list of hosts is ["127.0.0.1", "[::1]"]
#
#discovery.seed_hosts: ["host1", "host2"]
discovery.seed_hosts: []
discovery.type: 'single-node'

#
# Bootstrap the cluster using an initial set of master-eligible nodes:
#
#cluster.initial_master_nodes: ["node-1", "node-2"]
#
# For more information, consult the discovery and cluster formation module documentation.
#
# ---------------------------------- Various -----------------------------------
#
# Allow wildcard deletion of indices:
#
action.destructive_requires_name: 'true'

####
# https://www.elastic.co/guide/en/elasticsearch/reference/7.16/configuring-stack-security.html

indices.query.bool.max_clause_count: 8192
search.max_buckets: 250000

xpack.security.transport.ssl.enabled: 'true'
xpack.security.transport.ssl.verification_mode: 'none'
xpack.security.transport.ssl.certificate_authorities: /etc/elasticsearch/certs/ca/ca.crt
xpack.security.transport.ssl.key: /etc/elasticsearch/certs/netflow/netflow.key
xpack.security.transport.ssl.certificate: /etc/elasticsearch/certs/netflow/netflow.crt
#xpack.security.transport.ssl.client_authentication: required

#xpack.monitoring.enabled: 'true'
xpack.monitoring.collection.enabled: 'true'
xpack.monitoring.collection.interval: 30s

xpack.security.enabled: 'true'
xpack.security.audit.enabled: 'false'

Your cluster does not have https enabled.

OpenSSL reports "wrong version number" when you use https to access an http server (it tries to interpret the plaintext stream as SSL and treats part of the HTTP response as an SSL version number).

If you want to use https (and we recommend that) then you need to configure xpack.security.http.ssl.*

It sounds like you had this working on 7.x, but I can't see how the upgrade would have lead to your http.ssl.* settings being removed.

1 Like

Thank you.

I swapped the "transport" string back to "http" as you suggested and now it is working.

I performed the original swap because after the upgrade to 8.x, elasticsearch would not start and it gave the error:

bootstrap check failure [1] of [1]: Transport SSL must be enabled if security is enabled. Please set [xpack.security.transport.ssl.enabled] to [true] or disable security by setting [xpack.security.enabled] to [false]; for more information see [https://www.elastic.co/guide/en/elasticsearch/reference/8.14/bootstrap-checks-xpack.html#bootstrap-checks-tls]

That document links one to: https://www.elastic.co/guide/en/elasticsearch/reference/8.14/security-basic-setup.html#encrypt-internode-communication
Which is where I got the example using "transport" instead of "http".

With the settings using "transport," at least the daemon started (albeit without SSL). I found that with "http" the error about improper SSL config goes away if I add:

discovery.type: 'single-node'

Thank you for your time.