Skip to content

Latest commit

 

History

History
182 lines (160 loc) · 8.16 KB

common-defs.asciidoc

File metadata and controls

182 lines (160 loc) · 8.16 KB
Raw

tag::ssl-certificate[] Specifies the path for the PEM encoded certificate (or certificate chain) that is associated with the key.

+ This setting can be used only if ssl.key is set. end::ssl-certificate[]

tag::ssl-certificate-authorities[] List of paths to PEM encoded certificate files that should be trusted.

+ This setting and ssl.truststore.path cannot be used at the same time. end::ssl-certificate-authorities[]

tag::ssl-cipher-suites-values[] Supported cipher suites vary depending on which version of Java you use. For example, for version 12 the default value is TLS_AES_256_GCM_SHA384, TLS_AES_128_GCM_SHA256, TLS_CHACHA20_POLY1305_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA.

+ For more information, see Oracle’s Java Cryptography Architecture documentation. end::ssl-cipher-suites-values[]

tag::ssl-cipher-suites-values-java11[] Supported cipher suites vary depending on which version of Java you use. For example, for version 11 the default value is TLS_AES_256_GCM_SHA384, TLS_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA.

+

Note
 The default cipher suites list above includes TLSv1.3 ciphers and ciphers that require the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files for 256-bit AES encryption. If TLSv1.3 is not available, the TLSv1.3 ciphers TLS_AES_256_GCM_SHA384 and TLS_AES_128_GCM_SHA256 are not included in the default list. If 256-bit AES is unavailable, ciphers with AES_256 in their names are not included in the default list. Finally, AES GCM has known performance issues in Java versions prior to 11 and is included in the default list only when using Java 11 or above.

For more information, see Oracle’s Java Cryptography Architecture documentation.

end::ssl-cipher-suites-values-java11[]

tag::ssl-key-pem[] Path to a PEM encoded file containing the private key.

+ If HTTP client authentication is required, it uses this file. You cannot use this setting and ssl.keystore.path at the same time. end::ssl-key-pem[]

tag::ssl-key-passphrase[] The passphrase that is used to decrypt the private key. Since the key might not be encrypted, this value is optional.

+ You cannot use this setting and ssl.secure_key_passphrase at the same time. end::ssl-key-passphrase[]

tag::ssl-keystore-key-password[] The password for the key in the keystore. The default is the keystore password.

+ You cannot use this setting and ssl.keystore.secure_password at the same time. end::ssl-keystore-key-password[]

tag::ssl-keystore-password[] The password for the keystore. end::ssl-keystore-password[]

tag::ssl-keystore-path[] The path for the keystore file that contains a private key and certificate.

+ It must be either a Java keystore (jks) or a PKCS#12 file. You cannot use this setting and ssl.key at the same time. end::ssl-keystore-path[]

tag::ssl-keystore-secure-key-password[] The password for the key in the keystore. The default is the keystore password. end::ssl-keystore-secure-key-password[]

tag::ssl-keystore-secure-password[] The password for the keystore. end::ssl-keystore-secure-password[]

tag::ssl-keystore-type-pkcs12[] The format of the keystore file. It must be either jks or PKCS12. If the keystore path ends in ".p12", ".pfx", or ".pkcs12", this setting defaults to PKCS12. Otherwise, it defaults to jks. end::ssl-keystore-type-pkcs12[]

tag::ssl-secure-key-passphrase[] The passphrase that is used to decrypt the private key. Since the key might not be encrypted, this value is optional. end::ssl-secure-key-passphrase[]

tag::ssl-supported-protocols[] Supported protocols with versions. Valid protocols: SSLv2Hello, SSLv3, TLSv1, TLSv1.1, TLSv1.2, TLSv1.3. If the JVM’s SSL provider supports TLSv1.3, the default is TLSv1.3,TLSv1.2,TLSv1.1. Otherwise, the default is TLSv1.2,TLSv1.1.

+

Note
 If xpack.security.fips_mode.enabled is true, you cannot use SSLv2Hello or SSLv3. See [fips-140-compliance].

end::ssl-supported-protocols[]

tag::ssl-truststore-password[] The password for the truststore.

+ You cannot use this setting and ssl.truststore.secure_password at the same time. end::ssl-truststore-password[]

tag::ssl-truststore-path[] The path for the keystore that contains the certificates to trust. It must be either a Java keystore (jks) or a PKCS#12 file.

+ You cannot use this setting and ssl.certificate_authorities at the same time. end::ssl-truststore-path[]

tag::ssl-truststore-secure-password[] Password for the truststore. end::ssl-truststore-secure-password[]

tag::ssl-truststore-type[] The format of the truststore file. It must be either jks or PKCS12. If the file name ends in ".p12", ".pfx" or "pkcs12", the default is PKCS12. Otherwise, it defaults to jks. end::ssl-truststore-type[]

tag::ssl-truststore-type-pkcs11[] The format of the truststore file. For the Java keystore format, use jks. For PKCS#12 files, use PKCS12. For a PKCS#11 token, use PKCS11. The default is jks. end::ssl-truststore-type-pkcs11[]

tag::ssl-verification-mode-values[] Controls the verification of certificates.

+ Valid values are:

  • full, which verifies that the provided certificate is signed by a trusted authority (CA) and also verifies that the server’s hostname (or IP address) matches the names identified within the certificate.

  • certificate, which verifies that the provided certificate is signed by a trusted authority (CA), but does not perform any hostname verification.

  • none, which performs no verification of the server’s certificate. This mode disables many of the security benefits of SSL/TLS and should only be used after very careful consideration. It is primarily intended as a temporary diagnostic mechanism when attempting to resolve TLS errors; its use on production clusters is strongly discouraged.

    The default value is full. end::ssl-verification-mode-values[]