Transport profiles with ES 7.5.0

akappler · January 9, 2020, 10:09am

Hi,

we configured ES 6.8.3 with a transport profile without mutual TLS authentication for use with a legacy client. Now we want to upgrade to ES 7.5.0, but the same configuration stopped working. Apparently no server certificate is generated, and the TLS handshake fails.

Here is the configuration:

  transport.profiles.client:
    port: 9500 
    xpack.security:
      type: client 
      ssl:
        client_authentication: none

And here is the output of openssl when trying to connect to the transport profile:

openssl s_client -connect localhost:9500                                              Do 09 Jan 2020 11:09:18 CET
CONNECTED(00000003)
140007703086336:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:ssl/record/rec_layer_s3.c:1543:SSL alert number 40
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 293 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---

akappler · January 9, 2020, 11:12am

Update: I tried to configure the same certificates for the additional transport profile, and this configuration works.

transport.profiles.client:
    port: 9500 
    xpack.security:
      type: client 
      ssl:
        client_authentication: none 
        certificate: /usr/share/elasticsearch/config/node-transport-cert/transport.tls.crt 
        key: /usr/share/elasticsearch/config/node-transport-cert/transport.tls.key

Did something change in ES 7.x or in the operator, or is it intentional that no certificate is provided for additional transport profiles anymore?