Finally it worked with the new version. But from the logs, its not clear which version of TLS is being enforced. On the allowed_protocols, I just had TLSv1.2. Previously, I used to get message like “ROR SSL accepted protocols: TLSv1.2”. But now the log entry simply says restricting to TLSv1,TLSv1.1,TLSv1.2. So it is not very clear if the parameter got accepted or not.
Also, when restricting the cipher, I am assuming the supported list changes based on what protocol setting that we use. So you might want to test it out to see if someone give unsupported cipher for the protocol used OR gives a list of ciphers and 2 protocols, some supported one version and other on other version. In our environment, for most applications, we are being asked to allow backward compatibility, but default to v1.2 on the application side. So there might be similar requirements later on for ROR as well where users might end up using a combination of protocols. So probably that is a scenario, that you will need to validate. In our case, we are going to use only TLSv1.2 for ROR as our application is the only consumer.
[2018-01-02T18:05:47,113][INFO ][t.b.r.e.SSLTransportNetty4] Loaded good settings from D:\Apps\Program Files\Elasticsearch-5.5.1\config\readonlyrest.yml
[2018-01-02T18:05:47,309][INFO ][t.b.r.e.SSLTransportNetty4] creating SSL transport
[2018-01-02T18:05:47,311][INFO ][t.b.r.e.SSLTransportNetty4] ROR SSL: attempting with JKS keystore..
[2018-01-02T18:05:47,313][INFO ][t.b.r.e.SSLTransportNetty4] ROR SSL: Discovered key from JKS
[2018-01-02T18:05:47,313][INFO ][t.b.r.e.SSLTransportNetty4] ROR SSL: Discovered cert chain from JKS
[2018-01-02T18:05:47,394][INFO ][t.b.r.e.SSLTransportNetty4] ROR SSL: Using SSL provider: JDK
[2018-01-02T18:05:47,397][INFO ][t.b.r.e.SSLTransportNetty4] ROR SSL: Available ciphers: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA
[2018-01-02T18:05:47,397][INFO ][t.b.r.e.SSLTransportNetty4] ROR SSL: Restricting to ciphers: TLSv1,TLSv1.1,TLSv1.2
[2018-01-02T18:05:47,397][INFO ][t.b.r.e.SSLTransportNetty4] ROR SSL: Avaliable SSL protocols: TLSv1,TLSv1.1,TLSv1.2
[2018-01-02T18:05:47,398][INFO ][t.b.r.e.SSLTransportNetty4] ROR SSL: Available ciphers: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA
Also, not to be picky - “Avaliable SSL protocols” - Available is spelled incorrectly