Wilnlogbeat 7.6 Elasticsearch TLS Handshake failure

bernhard.fluehmann · April 9, 2020, 7:17am

After upgrade of Winlogbeat from 7.4.2 to 7.6.1 or 7.6.2, communication to elasitcsearch (7.6.1) was broken. The logs point to a TLS Handshake problem.

Removing of TLSv1.3 from ssl.supported_protocols solved the problem. This points to a problem with TLSv1.3, most probably on the beat side, but maybe of Elasticsarch as well.

Beat and Elasticsearch run on the same host, OS Version is Windows 2019 64 BIT

Error message Winlogbeat

Ping request failed with: Get https://xxxxxxxx:9200: remote error: tls: handshake failure
2020-04-02T19:58:03.350+0200 DEBUG [monitoring] elasticsearch/elasticsearch.go:259 Monitoring  could not connect to Elasticsearch, failed with cannot connect underlying Elasticsearch client: Get https://xxxxxxxx:9200: remote error: tls: handshake failure

Error message Elasticsearch

[2020-04-02T19:38:32,914][WARN ][o.e.h.AbstractHttpServerTransport] [ELST01] caught exception while handling client http traffic, closing connection Netty4HttpChannel{localAddress=0.0.0.0/0.0.0.0:9200, remoteAddress=/10.131.38.109:60848}
io.netty.handler.codec.DecoderException: javax.net.ssl.SSLHandshakeException: pre_shared_key key extension is offered without a psk_key_exchange_modes extension
	at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:473) ~[netty-codec-4.1.43.Final.jar:4.1.43.Final]
	at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:281) ~[netty-codec-4.1.43.Final.jar:4.1.43.Final]
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:374) [netty-transport-4.1.43.Final.jar:4.1.43.Final]
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:360) [netty-transport-4.1.43.Final.jar:4.1.43.Final]
	at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:352) [netty-transport-4.1.43.Final.jar:4.1.43.Final]
	at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1422) [netty-transport-4.1.43.Final.jar:4.1.43.Final]
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:374) [netty-transport-4.1.43.Final.jar:4.1.43.Final]
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:360) [netty-transport-4.1.43.Final.jar:4.1.43.Final]
	at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:931) [netty-transport-4.1.43.Final.jar:4.1.43.Final]
	at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:163) [netty-transport-4.1.43.Final.jar:4.1.43.Final]
	at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:700) [netty-transport-4.1.43.Final.jar:4.1.43.Final]
	at io.netty.channel.nio.NioEventLoop.processSelectedKeysPlain(NioEventLoop.java:600) [netty-transport-4.1.43.Final.jar:4.1.43.Final]
	at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:554) [netty-transport-4.1.43.Final.jar:4.1.43.Final]
	at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:514) [netty-transport-4.1.43.Final.jar:4.1.43.Final]
	at io.netty.util.concurrent.SingleThreadEventExecutor$6.run(SingleThreadEventExecutor.java:1050) [netty-common-4.1.43.Final.jar:4.1.43.Final]
	at io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74) [netty-common-4.1.43.Final.jar:4.1.43.Final]
	at java.lang.Thread.run(Thread.java:834) [?:?]
Caused by: javax.net.ssl.SSLHandshakeException: pre_shared_key key extension is offered without a psk_key_exchange_modes extension
	at sun.security.ssl.Alert.createSSLException(Alert.java:128) ~[?:?]
	at sun.security.ssl.Alert.createSSLException(Alert.java:117) ~[?:?]
	at sun.security.ssl.TransportContext.fatal(TransportContext.java:308) ~[?:?]
	at sun.security.ssl.TransportContext.fatal(TransportContext.java:264) ~[?:?]
	at sun.security.ssl.TransportContext.fatal(TransportContext.java:255) ~[?:?]
	at sun.security.ssl.PskKeyExchangeModesExtension$PskKeyExchangeModesOnTradeAbsence.absent(PskKeyExchangeModesExtension.java:327) ~[?:?]
	at sun.security.ssl.SSLExtension.absentOnTrade(SSLExtension.java:572) ~[?:?]
	at sun.security.ssl.SSLExtensions.consumeOnTrade(SSLExtensions.java:180) ~[?:?]
	at sun.security.ssl.ServerHello$T13ServerHelloProducer.produce(ServerHello.java:522) ~[?:?]
	at sun.security.ssl.SSLHandshake.produce(SSLHandshake.java:436) ~[?:?]
	at sun.security.ssl.ClientHello$T13ClientHelloConsumer.goServerHello(ClientHello.java:1189) ~[?:?]
	at sun.security.ssl.ClientHello$T13ClientHelloConsumer.consume(ClientHello.java:1125) ~[?:?]
	at sun.security.ssl.ClientHello$ClientHelloConsumer.onClientHello(ClientHello.java:831) ~[?:?]
	at sun.security.ssl.ClientHello$ClientHelloConsumer.consume(ClientHello.java:792) ~[?:?]
	at sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:392) ~[?:?]
	at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:444) ~[?:?]
	at sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1065) ~[?:?]
	at sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1052) ~[?:?]
	at java.security.AccessController.doPrivileged(Native Method) ~[?:?]
	at sun.security.ssl.SSLEngineImpl$DelegatedTask.run(SSLEngineImpl.java:999) ~[?:?]
	at io.netty.handler.ssl.SslHandler.runAllDelegatedTasks(SslHandler.java:1502) ~[netty-handler-4.1.43.Final.jar:4.1.43.Final]
	at io.netty.handler.ssl.SslHandler.runDelegatedTasks(SslHandler.java:1516) ~[netty-handler-4.1.43.Final.jar:4.1.43.Final]
	at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1400) ~[netty-handler-4.1.43.Final.jar:4.1.43.Final]
	at io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1227) ~[netty-handler-4.1.43.Final.jar:4.1.43.Final]
	at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1274) ~[netty-handler-4.1.43.Final.jar:4.1.43.Final]
	at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:503) ~[netty-codec-4.1.43.Final.jar:4.1.43.Final]
	at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:442) ~[netty-codec-4.1.43.Final.jar:4.1.43.Final]
	... 16 more

ikakavas · April 9, 2020, 9:28am

This sounds like https://bugs.openjdk.java.net/browse/JDK-8210334 which should be resolved in JDK 12

system · May 7, 2020, 9:28am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.