TLS 1.0 support


(Shota) #1

hello
does ROR pro support TLS 1.0?
if it does not enabled by default how can I turn it on manualy?

thank you


(Simone Scarduzio) #2

Hi @shota,

Our Kibana plugins do not need to implement TLS on neither of the HTTP interfaces (ES<->Kibana and Kibana<->User Agent). This functionality is already provided by Kibana.

We implement HTTPS from scratch in our Free plugin for Elasticsearch and we have a way for you to specify which protocols and cyphers should be accepted.

I hope this helps.


(Shota) #3

Hello sscarduzio thank you for reply
We have application which have to connect to our ES cluster via secure way, and our app is little bit old version and it has some problems to connect with new TLS version because it is written old java 6
I have question: when I enable “http.type: ssl_netty4” what version ssl it enables on elasticsearch, does it accsept only TLS or it accepts also ssl 3 version? what I have to do to accept ssl 3?
here is my application error:

2018-08-03 13:10:04,966 [WebContainer : 23] WARN ElasticUniversalSearchDao [-JOCjS0GNwSZJlczsG3Rpqx] [368747195] - Null result is found in a search context, index name someindex.
2018-08-03 13:10:04,966 [WebContainer : 23] INFO RestSecurityInterceptor [] [] - afterCompletion(): [IP: /IPADDRESSCHANGED, REST: GET /ibs/delegate/rest/search/v1/universalSearch, 16 ms]
2018-08-03 13:10:05,699 [WebContainer : 23] INFO RestSecurityInterceptor [] [] - User found: PSPDAZGVEVA for session: -JOCjS0GNwSZJlczsG3Rpqx
2018-08-03 13:10:05,699 [WebContainer : 23] INFO SessionManagerImpl [-JOCjS0GNwSZJlczsG3Rpqx] [] - Update last access time to Fri Aug 03 13:10:05 GET 2018
2018-08-03 13:10:05,715 [WebContainer : 23] DEBUG CsrfCheckInterceptor [-JOCjS0GNwSZJlczsG3Rpqx] [368747195] - CSRF protection is TURNED OFF.
2018-08-03 13:10:05,715 [WebContainer : 23] ERROR MovementsKeywordQueryContext [-JOCjS0GNwSZJlczsG3Rpqx] [368747195] - Exception processing future results:
java.util.concurrent.ExecutionException: cz.bsc.g6.components.base.common.exception.GafSystemException: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
at java.util.concurrent.FutureTask$Sync.innerGet(FutureTask.java:233)
at java.util.concurrent.FutureTask.get(FutureTask.java:94)
at cz.bsc.g8.components.elastic.impl.query.movements.MovementsKeywordQueryContext.getResult(MovementsKeywordQueryContext.java:44)
at cz.bsc.g8.components.elastic.impl.query.movements.MovementsKeywordQueryContext.getResult(MovementsKeywordQueryContext.java:19)
at cz.bsc.g8.components.elastic.impl.ElasticUniversalSearchDao.createUniversalSearchResult(ElasticUniversalSearchDao.java:124)
at cz.bsc.g8.components.elastic.impl.ElasticUniversalSearchDao.search(ElasticUniversalSearchDao.java:68)
at cz.bsc.g6.components.search.manager.impl.UniversalSearchManagerImpl.searchAllForCurrentActor(UniversalSearchManagerImpl.java:54)
at cz.bsc.g6.rest.txdelegate.impl.search.UniversalSearchTxDelegateImpl.universalSearch(UniversalSearchTxDelegateImpl.java:53)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:60)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:37)
at java.lang.reflect.Method.invoke(Method.java:611)
at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:317)
at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:190)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:157)
at org.springframework.transaction.interceptor.TransactionInterceptor$1.proceedWithInvocation(TransactionInterceptor.java:99)
at org.springframework.transaction.interceptor.TransactionAspectSupport$1.doInTransaction(TransactionAspectSupport.java:304)
at org.springframework.transaction.jta.WebSphereUowTransactionManager$UOWActionAdapter.run(WebSphereUowTransactionManager.java:347)
at com.ibm.ws.uow.UOWManagerImpl.runUnderNewUOW(UOWManagerImpl.java:1116)
at com.ibm.ws.uow.UOWManagerImpl.runUnderUOW(UOWManagerImpl.java:630)
at org.springframework.transaction.jta.WebSphereUowTransactionManager.execute(WebSphereUowTransactionManager.java:290)
at org.springframework.transaction.interceptor.TransactionAspectSupport.invokeWithinTransaction(TransactionAspectSupport.java:298)
at cz.bsc.g6.components.base.manager.impl.transaction.GafTransactionInterceptor.invokeWithinTransaction(GafTransactionInterceptor.java:31)
at org.springframework.transaction.interceptor.TransactionInterceptor.invoke(TransactionInterceptor.java:96)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:179)
at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:207)
at com.sun.proxy.$Proxy951.universalSearch(Unknown Source)
at cz.bsc.g6.rest.controller.search.UniversalSearchControllerV1.universalSearchByKeyword(UniversalSearchControllerV1.java:62)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:60)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:37)
at java.lang.reflect.Method.invoke(Method.java:611)
at org.springframework.web.method.support.InvocableHandlerMethod.doInvoke(InvocableHandlerMethod.java:221)
at org.springframework.web.method.support.InvocableHandlerMethod.invokeForRequest(InvocableHandlerMethod.java:137)
at org.springframework.web.servlet.mvc.method.annotation.ServletInvocableHandlerMethod.invokeAndHandle(ServletInvocableHandlerMethod.java:110)
at org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.invokeHandleMethod(RequestMappingHandlerAdapter.java:776)
at org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.handleInternal(RequestMappingHandlerAdapter.java:705)
at org.springframework.web.servlet.mvc.method.AbstractHandlerMethodAdapter.handle(AbstractHandlerMethodAdapter.java:85)
at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:959)
at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:893)
at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:967)
at org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:858)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:718)
at org.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java:843)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:831)
at com.liferay.portal.kernel.servlet.PortalDelegatorServlet.service(PortalDelegatorServlet.java:92)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:831)
at com.ibm.ws.webcontainer.servlet.ServletWrapper.service(ServletWrapper.java:1694)
at com.ibm.ws.webcontainer.servlet.ServletWrapper.service(ServletWrapper.java:1635)
at com.ibm.ws.webcontainer.filter.WebAppFilterChain.doFilter(WebAppFilterChain.java:149)
at com.liferay.portal.kernel.servlet.BaseFilter.processFilter(BaseFilter.java:196)
at com.liferay.portal.kernel.servlet.BaseFilter.doFilter(BaseFilter.java:126)
at com.ibm.ws.webcontainer.filter.FilterInstanceWrapper.doFilter(FilterInstanceWrapper.java:190)
at com.ibm.ws.webcontainer.filter.WebAppFilterChain.doFilter(WebAppFilterChain.java:125)
at com.liferay.portal.kernel.servlet.BaseFilter.processFilter(BaseFilter.java:196)
at com.liferay.portal.servlet.filters.virtualhost.VirtualHostFilter.processFilter(VirtualHostFilter.java:240)
at com.liferay.portal.kernel.servlet.BaseFilter.doFilter(BaseFilter.java:123)
at com.ibm.ws.webcontainer.filter.FilterInstanceWrapper.doFilter(FilterInstanceWrapper.java:190)
at com.ibm.ws.webcontainer.filter.WebAppFilterChain.doFilter(WebAppFilterChain.java:125)
at com.liferay.portal.kernel.servlet.BaseFilter.processFilter(BaseFilter.java:196)
at com.liferay.portal.kernel.servlet.BaseFilter.doFilter(BaseFilter.java:126)
at com.ibm.ws.webcontainer.filter.FilterInstanceWrapper.doFilter(FilterInstanceWrapper.java:190)
at com.ibm.ws.webcontainer.filter.WebAppFilterChain.doFilter(WebAppFilterChain.java:125)
at com.liferay.portal.kernel.servlet.BaseFilter.processFilter(BaseFilter.java:196)
at com.liferay.portal.kernel.servlet.BaseFilter.doFilter(BaseFilter.java:126)
at com.ibm.ws.webcontainer.filter.FilterInstanceWrapper.doFilter(FilterInstanceWrapper.java:190)
at com.ibm.ws.webcontainer.filter.WebAppFilterChain.doFilter(WebAppFilterChain.java:125)
at com.liferay.portal.kernel.servlet.BaseFilter.processFilter(BaseFilter.java:196)
at com.liferay.portal.servlet.filters.threadlocal.ThreadLocalFilter.processFilter(ThreadLocalFilter.java:51)
at com.liferay.portal.kernel.servlet.BaseFilter.doFilter(BaseFilter.java:123)
at com.ibm.ws.webcontainer.filter.FilterInstanceWrapper.doFilter(FilterInstanceWrapper.java:190)
at com.ibm.ws.webcontainer.filter.WebAppFilterChain.doFilter(WebAppFilterChain.java:125)
at cz.bsc.g6.liferay.auth.CookieKillerFilter.doFilter(CookieKillerFilter.java:95)
at com.ibm.ws.webcontainer.filter.FilterInstanceWrapper.doFilter(FilterInstanceWrapper.java:190)
at com.ibm.ws.webcontainer.filter.WebAppFilterChain.doFilter(WebAppFilterChain.java:125)
at com.ibm.ws.webcontainer.filter.WebAppFilterChain._doFilter(WebAppFilterChain.java:80)
at com.ibm.ws.webcontainer.filter.WebAppFilterManager.doFilter(WebAppFilterManager.java:908)
at com.ibm.ws.webcontainer.servlet.ServletWrapper.handleRequest(ServletWrapper.java:965)
at com.ibm.ws.webcontainer.servlet.ServletWrapper.handleRequest(ServletWrapper.java:508)
at com.ibm.ws.webcontainer.servlet.ServletWrapperImpl.handleRequest(ServletWrapperImpl.java:181)
at com.ibm.ws.webcontainer.servlet.CacheServletWrapper.handleRequest(CacheServletWrapper.java:91)
at com.ibm.ws.webcontainer.WebContainer.handleRequest(WebContainer.java:879)
at com.ibm.ws.webcontainer.WSWebContainer.handleRequest(WSWebContainer.java:1592)
at com.ibm.ws.webcontainer.channel.WCChannelLink.ready(WCChannelLink.java:191)
at com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.handleDiscrimination(HttpInboundLink.java:454)
at com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.handleNewRequest(HttpInboundLink.java:516)
at com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.processRequest(HttpInboundLink.java:307)
at com.ibm.ws.http.channel.inbound.impl.HttpICLReadCallback.complete(HttpICLReadCallback.java:84)
at com.ibm.ws.tcp.channel.impl.AioReadCompletionListener.futureCompleted(AioReadCompletionListener.java:175)
at com.ibm.io.async.AbstractAsyncFuture.invokeCallback(AbstractAsyncFuture.java:217)
at com.ibm.io.async.AsyncChannelFuture.fireCompletionActions(AsyncChannelFuture.java:161)
at com.ibm.io.async.AsyncFuture.completed(AsyncFuture.java:138)
at com.ibm.io.async.ResultHandler.complete(ResultHandler.java:204)
at com.ibm.io.async.ResultHandler.runEventProcessingLoop(ResultHandler.java:775)
at com.ibm.io.async.ResultHandler$2.run(ResultHandler.java:905)
at com.ibm.ws.util.ThreadPool$Worker.run(ThreadPool.java:1662)
Caused by: cz.bsc.g6.components.base.common.exception.GafSystemException: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
at cz.bsc.g6.components.base.integration.operation.rest.RestCommandGetEx.execute(RestCommandGetEx.java:63)
at cz.bsc.g8.components.elastic.impl.BaseElasticDao.doSearch(BaseElasticDao.java:92)
at cz.bsc.g8.components.elastic.impl.BaseElasticDao$1.call(BaseElasticDao.java:72)
at cz.bsc.g8.components.elastic.impl.BaseElasticDao$1.call(BaseElasticDao.java:68)
at cz.bsc.g6.components.base.executor.TaskExecutorWrapper$CallableWrapper.call(TaskExecutorWrapper.java:96)
at java.util.concurrent.FutureTask$Sync.innerRun(FutureTask.java:314)
at java.util.concurrent.FutureTask.run(FutureTask.java:149)
at org.springframework.scheduling.commonj.DelegatingWork.run(DelegatingWork.java:62)
at com.ibm.ws.asynchbeans.J2EEContext$RunProxy.run(J2EEContext.java:266)
at java.security.AccessController.doPrivileged(AccessController.java:384)
at javax.security.auth.Subject.doAs(Subject.java:495)
at com.ibm.websphere.security.auth.WSSubject.doAs(WSSubject.java:131)
at com.ibm.websphere.security.auth.WSSubject.doAs(WSSubject.java:89)
at com.ibm.ws.asynchbeans.J2EEContext$DoAsProxy.run(J2EEContext.java:337)
at java.security.AccessController.doPrivileged(AccessController.java:413)
at com.ibm.ws.asynchbeans.J2EEContext.run(J2EEContext.java:1146)
at com.ibm.ws.asynchbeans.WorkWithExecutionContextImpl.go(WorkWithExecutionContextImpl.java:199)
at com.ibm.ws.asynchbeans.CJWorkItemImpl.run(CJWorkItemImpl.java:188)
… 1 more
Caused by: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
at com.ibm.jsse2.p.a(p.java:12)
at com.ibm.jsse2.p.a(p.java:31)
at com.ibm.jsse2.SSLSocketImpl.b(SSLSocketImpl.java:502)
at com.ibm.jsse2.SSLSocketImpl.a(SSLSocketImpl.java:635)
at com.ibm.jsse2.SSLSocketImpl.h(SSLSocketImpl.java:50)
at com.ibm.jsse2.SSLSocketImpl.a(SSLSocketImpl.java:253)
at com.ibm.jsse2.l.write(l.java:37)
at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:76)
at java.io.BufferedOutputStream.write(BufferedOutputStream.java:115)
at java.io.FilterOutputStream.write(FilterOutputStream.java:91)
at org.apache.commons.httpclient.methods.StringRequestEntity.writeRequest(StringRequestEntity.java:145)
at org.apache.commons.httpclient.methods.EntityEnclosingMethod.writeRequestBody(EntityEnclosingMethod.java:499)
at org.apache.commons.httpclient.HttpMethodBase.writeRequest(HttpMethodBase.java:2114)
at org.apache.commons.httpclient.HttpMethodBase.execute(HttpMethodBase.java:1096)
at org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(HttpMethodDirector.java:398)
at org.apache.commons.httpclient.HttpMethodDirector.executeMethod(HttpMethodDirector.java:171)
at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:397)
at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:323)
at cz.bsc.g6.components.base.integration.operation.rest.RestCommandGetEx.execute(RestCommandGetEx.java:54)
… 18 more
2018-08-03 13:10:05,715 [WebContainer : 23] WARN ElasticUniversalSearchDao [-JOCjS0GNwSZJlczsG3Rpqx] [368747195] - Null result is found in a search context, index name someindex.


(Simone Scarduzio) #4

Hi @shota,

ReadonlyREST Free for Elasticsearch will inherit the list of available protocols and cyphers from the operating system. We optionally let you apply restrictions to what protocols and cyphers are to be accepted, if you configure so.

This is an example from ROR running my MacBook:

[2018-08-03T19:49:22,032][INFO ][t.b.r.e.SSLTransportNetty4] ROR SSL: Available ciphers: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA
[2018-08-03T19:49:22,034][INFO ][t.b.r.e.SSLTransportNetty4] ROR SSL: Available SSL protocols: TLSv1,TLSv1.1,TLSv1.2

I encourage you to try and find similar log lines in your ES server, and configure your OS accordingly to your needs. Don’t forget to restart ES after making the changes.