183 lines
8.2 KiB
Plaintext
183 lines
8.2 KiB
Plaintext
tag::ssl-certificate[]
|
|
Specifies the path for the PEM encoded certificate (or certificate chain) that is
|
|
associated with the key.
|
|
+
|
|
This setting can be used only if `ssl.key` is set.
|
|
end::ssl-certificate[]
|
|
|
|
tag::ssl-certificate-authorities[]
|
|
List of paths to PEM encoded certificate files that should be trusted.
|
|
+
|
|
This setting and `ssl.truststore.path` cannot be used at the same time.
|
|
end::ssl-certificate-authorities[]
|
|
|
|
tag::ssl-cipher-suites-values[]
|
|
Supported cipher suites vary depending on which version of Java you use. For
|
|
example, for version 12 the default value is `TLS_AES_256_GCM_SHA384`,
|
|
`TLS_AES_128_GCM_SHA256`, `TLS_CHACHA20_POLY1305_SHA256`,
|
|
`TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384`, `TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256`,
|
|
`TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384`, `TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256`,
|
|
`TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256`, `TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256`,
|
|
`TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384`, `TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256`,
|
|
`TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384`, `TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256`,
|
|
`TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA`, `TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA`,
|
|
`TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA`, `TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA`,
|
|
`TLS_RSA_WITH_AES_256_GCM_SHA384`, `TLS_RSA_WITH_AES_128_GCM_SHA256`,
|
|
`TLS_RSA_WITH_AES_256_CBC_SHA256`, `TLS_RSA_WITH_AES_128_CBC_SHA256`,
|
|
`TLS_RSA_WITH_AES_256_CBC_SHA`, `TLS_RSA_WITH_AES_128_CBC_SHA`.
|
|
+
|
|
For more information, see Oracle's
|
|
https://docs.oracle.com/en/java/javase/11/security/oracle-providers.html#GUID-7093246A-31A3-4304-AC5F-5FB6400405E2[Java Cryptography Architecture documentation].
|
|
end::ssl-cipher-suites-values[]
|
|
|
|
tag::ssl-cipher-suites-values-java11[]
|
|
Supported cipher suites vary depending on which version of Java you use. For
|
|
example, for version 11 the default value is `TLS_AES_256_GCM_SHA384`,
|
|
`TLS_AES_128_GCM_SHA256`, `TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384`,
|
|
`TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256`, `TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384`,
|
|
`TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256`, `TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384`,
|
|
`TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256`, `TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384`,
|
|
`TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256`, `TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA`,
|
|
`TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA`, `TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA`,
|
|
`TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA`, `TLS_RSA_WITH_AES_256_GCM_SHA384`,
|
|
`TLS_RSA_WITH_AES_128_GCM_SHA256`, `TLS_RSA_WITH_AES_256_CBC_SHA256`,
|
|
`TLS_RSA_WITH_AES_128_CBC_SHA256`, `TLS_RSA_WITH_AES_256_CBC_SHA`,
|
|
`TLS_RSA_WITH_AES_128_CBC_SHA`.
|
|
+
|
|
--
|
|
NOTE: The default cipher suites list above includes TLSv1.3 ciphers and ciphers
|
|
that require the _Java Cryptography Extension (JCE) Unlimited Strength
|
|
Jurisdiction Policy Files_ for 256-bit AES encryption. If TLSv1.3 is not
|
|
available, the TLSv1.3 ciphers `TLS_AES_256_GCM_SHA384` and
|
|
`TLS_AES_128_GCM_SHA256` are not included in the default list. If 256-bit AES is
|
|
unavailable, ciphers with `AES_256` in their names are not included in the
|
|
default list. Finally, AES GCM has known performance issues in Java versions
|
|
prior to 11 and is included in the default list only when using Java 11 or above.
|
|
|
|
For more information, see Oracle's
|
|
https://docs.oracle.com/en/java/javase/11/security/oracle-providers.html#GUID-7093246A-31A3-4304-AC5F-5FB6400405E2[Java Cryptography Architecture documentation].
|
|
--
|
|
end::ssl-cipher-suites-values-java11[]
|
|
|
|
tag::ssl-key-pem[]
|
|
Path to a PEM encoded file containing the private key.
|
|
+
|
|
If HTTP client authentication is required, it uses this file. You cannot use
|
|
this setting and `ssl.keystore.path` at the same time.
|
|
end::ssl-key-pem[]
|
|
|
|
tag::ssl-key-passphrase[]
|
|
The passphrase that is used to decrypt the private key. Since the key might not
|
|
be encrypted, this value is optional.
|
|
+
|
|
You cannot use this setting and `ssl.secure_key_passphrase` at the same time.
|
|
end::ssl-key-passphrase[]
|
|
|
|
tag::ssl-keystore-key-password[]
|
|
The password for the key in the keystore. The default is the keystore password.
|
|
+
|
|
You cannot use this setting and `ssl.keystore.secure_password` at the same time.
|
|
//TBD: You cannot use this setting and `ssl.keystore.secure_key_password` at the same time.
|
|
end::ssl-keystore-key-password[]
|
|
|
|
tag::ssl-keystore-password[]
|
|
The password for the keystore.
|
|
//TBD: You cannot use this setting and `ssl.keystore.secure_password` at the same time.
|
|
end::ssl-keystore-password[]
|
|
|
|
tag::ssl-keystore-path[]
|
|
The path for the keystore file that contains a private key and certificate.
|
|
+
|
|
It must be either a Java keystore (jks) or a PKCS#12 file. You cannot use this
|
|
setting and `ssl.key` at the same time.
|
|
//TBD: It must be either a Java keystore (jks) or a PKCS#12 file.
|
|
//TBD: You cannot use this setting and `ssl.key` at the same time.
|
|
end::ssl-keystore-path[]
|
|
|
|
tag::ssl-keystore-secure-key-password[]
|
|
The password for the key in the keystore. The default is the keystore password.
|
|
//TBD: You cannot use this setting and `ssl.keystore.key_password` at the same time.
|
|
end::ssl-keystore-secure-key-password[]
|
|
|
|
tag::ssl-keystore-secure-password[]
|
|
The password for the keystore.
|
|
//TBD: You cannot use this setting and `ssl.keystore.password` at the same time.
|
|
end::ssl-keystore-secure-password[]
|
|
|
|
tag::ssl-keystore-type-pkcs12[]
|
|
The format of the keystore file. It must be either `jks` or `PKCS12`. If the
|
|
keystore path ends in ".p12", ".pfx", or ".pkcs12", this setting defaults
|
|
to `PKCS12`. Otherwise, it defaults to `jks`.
|
|
end::ssl-keystore-type-pkcs12[]
|
|
|
|
tag::ssl-secure-key-passphrase[]
|
|
The passphrase that is used to decrypt the private key. Since the key might not
|
|
be encrypted, this value is optional.
|
|
//TBD: You cannot use this setting and `ssl.key_passphrase` at the same time.
|
|
end::ssl-secure-key-passphrase[]
|
|
|
|
tag::ssl-supported-protocols[]
|
|
Supported protocols with versions. Valid protocols: `SSLv2Hello`,
|
|
`SSLv3`, `TLSv1`, `TLSv1.1`, `TLSv1.2`, `TLSv1.3`. If the JVM's SSL provider supports TLSv1.3,
|
|
the default is `TLSv1.3,TLSv1.2,TLSv1.1`. Otherwise, the default is
|
|
`TLSv1.2,TLSv1.1`.
|
|
+
|
|
--
|
|
NOTE: If `xpack.security.fips_mode.enabled` is `true`, you cannot use `SSLv2Hello`
|
|
or `SSLv3`. See <<fips-140-compliance>>.
|
|
|
|
--
|
|
end::ssl-supported-protocols[]
|
|
|
|
tag::ssl-truststore-password[]
|
|
The password for the truststore.
|
|
+
|
|
You cannot use this setting and `ssl.truststore.secure_password` at the same
|
|
time.
|
|
//TBD: You cannot use this setting and `ssl.truststore.secure_password` at the same time.
|
|
end::ssl-truststore-password[]
|
|
|
|
tag::ssl-truststore-path[]
|
|
The path for the keystore that contains the certificates to trust. It must be
|
|
either a Java keystore (jks) or a PKCS#12 file.
|
|
+
|
|
You cannot use this setting and `ssl.certificate_authorities` at the same time.
|
|
//TBD: You cannot use this setting and `ssl.certificate_authorities` at the same time.
|
|
end::ssl-truststore-path[]
|
|
|
|
tag::ssl-truststore-secure-password[]
|
|
Password for the truststore.
|
|
//TBD: You cannot use this setting and `ssl.truststore.password` at the same time.
|
|
end::ssl-truststore-secure-password[]
|
|
|
|
tag::ssl-truststore-type[]
|
|
The format of the truststore file. It must be either `jks` or `PKCS12`. If the
|
|
file name ends in ".p12", ".pfx" or "pkcs12", the default is `PKCS12`.
|
|
Otherwise, it defaults to `jks`.
|
|
end::ssl-truststore-type[]
|
|
|
|
tag::ssl-truststore-type-pkcs11[]
|
|
The format of the truststore file. For the Java keystore format, use `jks`. For
|
|
PKCS#12 files, use `PKCS12`. For a PKCS#11 token, use `PKCS11`. The default is
|
|
`jks`.
|
|
end::ssl-truststore-type-pkcs11[]
|
|
|
|
tag::ssl-verification-mode-values[]
|
|
Controls the verification of certificates.
|
|
+
|
|
Valid values are:
|
|
|
|
* `full`, which verifies that the provided certificate is signed by a trusted
|
|
authority (CA) and also verifies that the server's hostname (or IP address)
|
|
matches the names identified within the certificate.
|
|
* `certificate`, which verifies that the provided certificate is signed by a
|
|
trusted authority (CA), but does not perform any hostname verification.
|
|
* `none`, which performs _no verification_ of the server's certificate. This
|
|
mode disables many of the security benefits of SSL/TLS and should only be used
|
|
after very careful consideration. It is primarily intended as a temporary
|
|
diagnostic mechanism when attempting to resolve TLS errors; its use on
|
|
production clusters is strongly discouraged.
|
|
+
|
|
The default value is `full`.
|
|
end::ssl-verification-mode-values[]
|