Configuring cipher_suites works but ssl.cipher_suites not working

elastic / beats

:tropical_fish: Beats - Lightweight shippers for Elasticsearch & Logstash

https://www.elastic.co/products/beats

Other

12.15k stars 4.91k forks source link

Configuring cipher_suites works but ssl.cipher_suites not working #39758

Open Tejaswi43 opened 4 months ago

Tejaswi43 commented 4 months ago

I want to configure particular cipher suites to be used by filebeat to connect with logstash. While using ssl.cipher_suites I was getting below error log

{"log.level":"error","@timestamp":"2024-05-28T06:28:10.029Z","log.origin":{"function":"github.com/elastic/beats/v7/libbeat/cmd/instance.handleError","file.name":"instance/beat.go","file.line":1312},"message":"Exiting: 1 error initializing publisher: could not setup output certificates reloader: unpacking 'ssl' config: invalid tls cipher suite 'TLS_AES_128_GCM_SHA256' accessing 'output.logstash.ssl.cipher_suites.0' (source:'/opt/filebeat/filebeat.yml')","service.name":"filebeat","ecs.version":"1.6.0"}

And with all same setup I tried with cipher_suites then it worked. Is there any specific configuration I missed or suggestions to check?

elasticmachine commented 4 months ago

Pinging @elastic/elastic-agent-data-plane (Team:Elastic-Agent-Data-Plane)

jeanfabrice commented 2 days ago

@Tejaswi43 can you try with the spelling ECDHE-ECDSA-AES-128-GCM-SHA256 or ECDHE-RSA-AES-128-GCM-SHA256 or RSA-AES-128-GCM-SHA256 as listed here, based on your expectations? TLS_AES_128_GCM_SHA256 is not supported I believe, and it looks likes to be a spelling error

teja431 commented 2 days ago

Thanks for the reply @jeanfabrice yeah its a spelling error seems to be only the list of ciphers mentioned in official documention are supported to configure and also tls1.3 ciphers seems to not supported to configure seperately

jeanfabrice commented 1 day ago

@teja431 The cipher list comes straight from the Go crypto/tls library

Regarding TLS 1.3, it looks like it is related to the same library as described in the documentation

Note that if TLS 1.3 is enabled (which is true by default), then the default TLS 1.3 cipher suites are always included, because Go’s standard library adds them to all connections. In order to exclude the default TLS 1.3 ciphers, TLS 1.3 must also be disabled, e.g. with the setting ssl.supported_protocols = [TLSv1.2].

Source:

// CipherSuites is a list of enabled TLS 1.0–1.2 cipher suites. The order of // the list is ignored. Note that TLS 1.3 ciphersuites are not configurable.