Wilnlogbeat 7.6 Elasticsearch TLS Handshake failure

bernhard.fluehmann · April 9, 2020, 7:17am

After upgrade of Winlogbeat from 7.4.2 to 7.6.1 or 7.6.2, communication to elasitcsearch (7.6.1) was broken. The logs point to a TLS Handshake problem.

Removing of TLSv1.3 from ssl.supported_protocols solved the problem. This points to a problem with TLSv1.3, most probably on the beat side, but maybe of Elasticsarch as well.

Beat and Elasticsearch run on the same host, OS Version is Windows 2019 64 BIT

Error message Winlogbeat

Ping request failed with: Get https://xxxxxxxx:9200: remote error: tls: handshake failure
2020-04-02T19:58:03.350+0200 DEBUG [monitoring] elasticsearch/elasticsearch.go:259 Monitoring  could not connect to Elasticsearch, failed with cannot connect underlying Elasticsearch client: Get https://xxxxxxxx:9200: remote error: tls: handshake failure

Error message Elasticsearch

[2020-04-02T19:38:32,914][WARN ][o.e.h.AbstractHttpServerTransport] [ELST01] caught exception while handling client http traffic, closing connection Netty4HttpChannel{localAddress=0.0.0.0/0.0.0.0:9200, remoteAddress=/10.131.38.109:60848}
io.netty.handler.codec.DecoderException: javax.net.ssl.SSLHandshakeException: pre_shared_key key extension is offered without a psk_key_exchange_modes extension
	at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:473) ~[netty-codec-4.1.43.Final.jar:4.1.43.Final]
	at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:281) ~[netty-codec-4.1.43.Final.jar:4.1.43.Final]
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:374) [netty-transport-4.1.43.Final.jar:4.1.43.Final]
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:360) [netty-transport-4.1.43.Final.jar:4.1.43.Final]
	at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:352) [netty-transport-4.1.43.Final.jar:4.1.43.Final]
	at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1422) [netty-transport-4.1.43.Final.jar:4.1.43.Final]
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:374) [netty-transport-4.1.43.Final.jar:4.1.43.Final]
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:360) [netty-transport-4.1.43.Final.jar:4.1.43.Final]
	at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:931) [netty-transport-4.1.43.Final.jar:4.1.43.Final]
	at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:163) [netty-transport-4.1.43.Final.jar:4.1.43.Final]
	at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:700) [netty-transport-4.1.43.Final.jar:4.1.43.Final]
	at io.netty.channel.nio.NioEventLoop.processSelectedKeysPlain(NioEventLoop.java:600) [netty-transport-4.1.43.Final.jar:4.1.43.Final]
	at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:554) [netty-transport-4.1.43.Final.jar:4.1.43.Final]
	at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:514) [netty-transport-4.1.43.Final.jar:4.1.43.Final]
	at io.netty.util.concurrent.SingleThreadEventExecutor$6.run(SingleThreadEventExecutor.java:1050) [netty-common-4.1.43.Final.jar:4.1.43.Final]
	at io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74) [netty-common-4.1.43.Final.jar:4.1.43.Final]
	at java.lang.Thread.run(Thread.java:834) [?:?]
Caused by: javax.net.ssl.SSLHandshakeException: pre_shared_key key extension is offered without a psk_key_exchange_modes extension
	at sun.security.ssl.Alert.createSSLException(Alert.java:128) ~[?:?]
	at sun.security.ssl.Alert.createSSLException(Alert.java:117) ~[?:?]
	at sun.security.ssl.TransportContext.fatal(TransportContext.java:308) ~[?:?]
	at sun.security.ssl.TransportContext.fatal(TransportContext.java:264) ~[?:?]
	at sun.security.ssl.TransportContext.fatal(TransportContext.java:255) ~[?:?]
	at sun.security.ssl.PskKeyExchangeModesExtension$PskKeyExchangeModesOnTradeAbsence.absent(PskKeyExchangeModesExtension.java:327) ~[?:?]
	at sun.security.ssl.SSLExtension.absentOnTrade(SSLExtension.java:572) ~[?:?]
	at sun.security.ssl.SSLExtensions.consumeOnTrade(SSLExtensions.java:180) ~[?:?]
	at sun.security.ssl.ServerHello$T13ServerHelloProducer.produce(ServerHello.java:522) ~[?:?]
	at sun.security.ssl.SSLHandshake.produce(SSLHandshake.java:436) ~[?:?]
	at sun.security.ssl.ClientHello$T13ClientHelloConsumer.goServerHello(ClientHello.java:1189) ~[?:?]
	at sun.security.ssl.ClientHello$T13ClientHelloConsumer.consume(ClientHello.java:1125) ~[?:?]
	at sun.security.ssl.ClientHello$ClientHelloConsumer.onClientHello(ClientHello.java:831) ~[?:?]
	at sun.security.ssl.ClientHello$ClientHelloConsumer.consume(ClientHello.java:792) ~[?:?]
	at sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:392) ~[?:?]
	at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:444) ~[?:?]
	at sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1065) ~[?:?]
	at sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1052) ~[?:?]
	at java.security.AccessController.doPrivileged(Native Method) ~[?:?]
	at sun.security.ssl.SSLEngineImpl$DelegatedTask.run(SSLEngineImpl.java:999) ~[?:?]
	at io.netty.handler.ssl.SslHandler.runAllDelegatedTasks(SslHandler.java:1502) ~[netty-handler-4.1.43.Final.jar:4.1.43.Final]
	at io.netty.handler.ssl.SslHandler.runDelegatedTasks(SslHandler.java:1516) ~[netty-handler-4.1.43.Final.jar:4.1.43.Final]
	at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1400) ~[netty-handler-4.1.43.Final.jar:4.1.43.Final]
	at io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1227) ~[netty-handler-4.1.43.Final.jar:4.1.43.Final]
	at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1274) ~[netty-handler-4.1.43.Final.jar:4.1.43.Final]
	at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:503) ~[netty-codec-4.1.43.Final.jar:4.1.43.Final]
	at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:442) ~[netty-codec-4.1.43.Final.jar:4.1.43.Final]
	... 16 more

ikakavas · April 9, 2020, 9:28am

This sounds like https://bugs.openjdk.java.net/browse/JDK-8210334 which should be resolved in JDK 12

system · May 7, 2020, 9:28am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
●[TLS] Question: Secure communication between Winlogbeat/ElasticSearch causes an error Beats elastic-stack-security , winlogbeat	3	315	February 9, 2024
Winlogbeat ssl to elasticsearch Beats elastic-stack-security , winlogbeat	3	397	January 7, 2021
More crypto problems with Elasticsearch Beats winlogbeat	1	429	August 27, 2019
Proxyconnect tcp: tls: first record does not look like a TLS handshake metricbeat monitoring elasticsearch Beats metricbeat	4	6387	November 26, 2020
Beats stopped working after enabled TLS/SSL on Elasticsearch and Kibana Beats packetbeat , winlogbeat , auditbeat	7	675	October 20, 2020

Wilnlogbeat 7.6 Elasticsearch TLS Handshake failure

Related topics