Remove TLSv1.1 from default protocols (#121731)

tvernum · web-flow · commit 17657c010489 · 2025-02-10T09:12:52.000+01:00
This commit removes "TLSv1.1" from the list of default protocols in Elasticsearch (starting with ES9.0) TLSv1.1 has been deprecated by the IETF since March 2021 This affects a variety of TLS contexts, include - The HTTP Server (Rest API) - Transport protocol (including CCS and CCR) - Outgoing connections for features that have configurable SSL settings. This includes - reindex - watcher - security realms (SAML, OIDC, LDAP, etc) - monitoring exporters - inference services In practice, however, TLSv1.1 has been disabled in most Elasticsearch deployments since around 7.12 because most JDK releases have disabled TLSv1.1 (by default) starting in April 2021 That is, if you run a default installation of Elasticsearch (for any currently supported version of ES) that uses the bundled JVM then TLSv1.1 is already disabled. And, since ES9+ requires JDK21+, all supported JDKs ship with TLSv1.1 disabled by default. In addition, incoming HTTP connections to Elastic Cloud deployments have required TLSv1.2 or higher since April 2020 This change simply makes it clear that Elasticsearch does not attempt to enable TLSv1.1 and administrators who wish to use that protocol will need to explicitly enable it in both the JVM and in Elasticsearch. Resolves: #108057
diff --git a/docs/changelog/121731.yaml b/docs/changelog/121731.yaml
@@ -0,0 +1,21 @@
+pr: 121731
+summary: Remove TLSv1.1 from default protocols
+area: TLS
+type: breaking
+issues: []
+breaking:
+  title: Remove TLSv1.1 from default protocols
+  area: Cluster and node setting
+  details: "TLSv1.1 is no longer enabled by default. Prior to version 9.0, Elasticsearch\
+    \ would attempt to enable TLSv1.1 if the JDK supported it. In most cases, including\
+    \ all cases where Elasticsearch 8 was running with the bundled JDK, the JDK would\
+    \ not support TLSv1.1, so that protocol would not be available in Elasticsearch.\
+    \ However, if Elasticsearch was running on an old JDK or a JDK that have been\
+    \ reconfigured to support TLSv1.1, then the protocol would automatically be available\
+    \ within Elasticsearch. As of Elasticsearch 9.0, this is no longer true. If you\
+    \ wish to enable TLSv1.1 then you must enable it within the JDK and also enable\
+    \ it within Elasticsearch by using the `ssl.supported_protocols` setting."
+  impact: "Most users will not be impacted. If your Elastisearch 8 cluster was using\
+    \ a custom JDK and you relied on TLSv1.1, then you will need to explicitly enable\
+    \ TLSv1.1 within Elasticsearch (as well as enabling it within your JDK)"
+  notable: false
diff --git a/libs/ssl-config/src/main/java/org/elasticsearch/common/ssl/SslConfigurationLoader.java b/libs/ssl-config/src/main/java/org/elasticsearch/common/ssl/SslConfigurationLoader.java
@@ -13,8 +13,6 @@
 
 import java.nio.file.Path;
 import java.security.KeyStore;
-import java.util.Arrays;
-import java.util.Collections;
 import java.util.List;
 import java.util.Objects;
 import java.util.Set;
@@ -25,7 +23,6 @@
 import javax.net.ssl.TrustManagerFactory;
 
 import static org.elasticsearch.common.ssl.KeyStoreUtil.inferKeyStoreType;
-import static org.elasticsearch.common.ssl.SslConfiguration.ORDERED_PROTOCOL_ALGORITHM_MAP;
 import static org.elasticsearch.common.ssl.SslConfigurationKeys.CERTIFICATE;
 import static org.elasticsearch.common.ssl.SslConfigurationKeys.CERTIFICATE_AUTHORITIES;
 import static org.elasticsearch.common.ssl.SslConfigurationKeys.CIPHERS;
@@ -63,11 +60,7 @@
  */
 public abstract class SslConfigurationLoader {
 
-    static final List<String> DEFAULT_PROTOCOLS = Collections.unmodifiableList(
-        ORDERED_PROTOCOL_ALGORITHM_MAP.containsKey("TLSv1.3")
-            ? Arrays.asList("TLSv1.3", "TLSv1.2", "TLSv1.1")
-            : Arrays.asList("TLSv1.2", "TLSv1.1")
-    );
+    static final List<String> DEFAULT_PROTOCOLS = List.of("TLSv1.3", "TLSv1.2");
 
     private static final List<String> JDK12_CIPHERS = List.of(
         // TLSv1.3 cipher has PFS, AEAD, hardware support
diff --git a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/XPackSettings.java b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/XPackSettings.java
@@ -317,7 +317,7 @@ public static Setting<String> defaultStoredSecureTokenHashAlgorithmSetting(
         }, Property.NodeScope);
     }
 
-    public static final List<String> DEFAULT_SUPPORTED_PROTOCOLS = Arrays.asList("TLSv1.3", "TLSv1.2", "TLSv1.1");
+    public static final List<String> DEFAULT_SUPPORTED_PROTOCOLS = Arrays.asList("TLSv1.3", "TLSv1.2");
 
     public static final SslClientAuthenticationMode CLIENT_AUTH_DEFAULT = SslClientAuthenticationMode.REQUIRED;
     public static final SslClientAuthenticationMode HTTP_CLIENT_AUTH_DEFAULT = SslClientAuthenticationMode.NONE;

Original file line number	Diff line number	Diff line change
`@@ -317,7 +317,7 @@ public static Setting<String> defaultStoredSecureTokenHashAlgorithmSetting(`
`317`	`317`	`}, Property.NodeScope);`
`318`	`318`	`}`
`319`	`319`
`320`		`- public static final List<String> DEFAULT_SUPPORTED_PROTOCOLS = Arrays.asList("TLSv1.3", "TLSv1.2", "TLSv1.1");`
	`320`	`+ public static final List<String> DEFAULT_SUPPORTED_PROTOCOLS = Arrays.asList("TLSv1.3", "TLSv1.2");`
`321`	`321`
`322`	`322`	`public static final SslClientAuthenticationMode CLIENT_AUTH_DEFAULT = SslClientAuthenticationMode.REQUIRED;`
`323`	`323`	`public static final SslClientAuthenticationMode HTTP_CLIENT_AUTH_DEFAULT = SslClientAuthenticationMode.NONE;`