You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Until recently, public CAs would issue certificates with an Extended Key
Usage set that includes the `clientAuth` value, allowing these
certificates to be used for mTLS. Nonetheless it is a mistake to use
such certificates for mTLS. To prevent users from continuing to make
this mistake, all certificates issued by public CAs will soon omit the
`clientAuth` usage value.
Elasticsearch will by default use mTLS for inter-node connections, and
we've recently encountered some users who have been obtaining their
transport certificates from such public CAs and mistakenly using them
for mTLS. This commit adds some links to the documentation added in
elastic/docs-content#3932 clarifying the
security model and giving clearer recommendations in this area.
Copy file name to clipboardExpand all lines: docs/reference/elasticsearch/configuration-reference/security-settings.md
+12-2Lines changed: 12 additions & 2 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -1923,7 +1923,13 @@ PKCS#12 files are configured in the same way as Java keystore files:
1923
1923
1924
1924
## Transport TLS/SSL settings [transport-tls-ssl-settings]
1925
1925
1926
-
You can configure the following TLS/SSL settings.
1926
+
The settings in this section relate to node-to-node transport connections.
1927
+
1928
+
By default, {{es}} uses mutual TLS (mTLS) to secure node-to-node transport connections within a cluster. With mTLS, data is encrypted in transit and both nodes must present valid certificates when connecting. Each node requires that certificates be issued by a trusted certificate authority, ensuring that only authorized nodes can connect. [Learn about configuring node-to-node mTLS](docs-content://deploy-manage/security/secure-cluster-communications.md#encrypt-internode-communication).
1929
+
1930
+
::::{warning}
1931
+
Transport connections between Elasticsearch nodes are security-critical and you must protect them carefully. Malicious actors who can observe or interfere with unencrypted node-to-node transport traffic can read or modify cluster data. A malicious actor who can establish a transport connection might be able to invoke system-internal APIs, including APIs that read or modify cluster data.
1932
+
::::
1927
1933
1928
1934
`xpack.security.transport.ssl.enabled`
1929
1935
: ([Static](docs-content://deploy-manage/stack-settings.md#static-cluster-setting)) Used to enable or disable TLS/SSL on the transport networking layer, which nodes use to communicate with each other. The default is `false`.
@@ -1939,7 +1945,11 @@ You can configure the following TLS/SSL settings.
: ([Static](docs-content://deploy-manage/stack-settings.md#static-cluster-setting)) Controls the server’s behavior in regard to requesting a certificate from client connections. Valid values are `required`, `optional`, and `none`. `required` forces a client to present a certificate, while `optional` requests a client certificate but the client is not required to present one. Defaults to `required`.
1948
+
: ([Static](docs-content://deploy-manage/stack-settings.md#static-cluster-setting)) Controls the node's behavior in regard to requesting a certificate when accepting an inbound transport connections from another {{es}} node. Valid values are `required`, `optional`, and `none`. The default is `required` which means that the connecting node must present a valid client certificate during the connection process. May also be set to `optional` which means that a client certificate is requested but the connecting node may choose not to present one, or `none` which means that no client certificate is even requested during the connection process.
1949
+
1950
+
::::{warning}
1951
+
Turning off mTLS by setting `xpack.security.transport.ssl.client_authentication` to `optional` or `none` allows anyone with network access to establish transport connections. Malicious actors can use these connections to invoke system-internal APIs that might read or modify cluster data. Use mTLS to protect your node-to-node transport connections unless you are absolutely certain that unauthorized network access to these nodes cannot occur.
1952
+
::::
1943
1953
1944
1954
`xpack.security.transport.ssl.verification_mode`
1945
1955
: ([Static](docs-content://deploy-manage/stack-settings.md#static-cluster-setting)) Defines how to verify the certificates presented by another party in the TLS connection:
0 commit comments