Changes to support for ciphers used to connect to Elasticsearch Service
At Elastic Cloud we are committed to offering our customers the most secure way to run their workloads in the cloud. With the goal of being “secure by default,” we are deprecating ciphers that are considered weak and insecure. Going forward, we will only support ciphers that are included in the Mozilla intermediate list. (edit: we are adding AES128-GCM-SHA256
AES256-GCM-SHA384 to this list for Windows 11 compatibility).
This change is scheduled to take effect after Jan 30th 2022. If you only have deployments in Azure regions, this change does not affect you.
We will communicate a precise date closer to the change.
What are the changes?
We are updating the list of ciphers supported for clients connecting to their Elasticsearch clusters, Kibana, or other components on Elasticsearch Service. The changes are basically on two fronts:
- We will deprecate certain ciphers that are considered weak by modern encryption standards. The ciphers we are going to stop supporting in all regions are:
- ECDHE-ECDSA-AES128-SHA
- ECDHE-RSA-AES128-SHA
- ECDHE-ECDSA-AES256-SHA
- ECDHE-RSA-AES256-SHA
- ECDHE-RSA-DES-CBC3-SHA
- AES128-SHA256
- AES128-SHA
- AES256-SHA1
- DES-CBC3-SHA
- We are only going to support the ciphers that are included in the Mozilla intermediate list of ciphers and are considered a security best practice. In addition to the ciphers in the Mozilla intermediate list we have also added AES128-GCM-SHA256 and AES256-GCM-SHA384 (see list below) for Windows 11 compatibility. We will remove these at a later point of time.
- ECDHE-RSA-AES128-GCM-SHA256
- ECDHE-ECDSA-AES256-GCM-SHA384
- ECDHE-RSA-AES256-GCM-SHA384
- ECDHE-ECDSA-CHACHA20-POLY1305
- ECDHE-RSA-CHACHA20-POLY1305
- ECDHE-RSA-AES-128-CBC-SHA
- ECDHE-ECDSA-AES128-SHA256
- ECDHE-RSA-AES128-SHA256
- AES128-GCM-SHA256
- AES256-GCM-SHA384
Edit: We have added ECDHE-ECDSA-AES128-GCM-SHA256, AES128-GCM-SHA256 and AES256-GCM-SHA384 to the list of supported ciphers since the last update.
What is the impact on me?
If you use clients that do not currently support at least one of the ciphers from the list of ciphers to be supported, you will need to update your clients to do so. This is important to be able to communicate with your cluster or any endpoints on Elastic Cloud (Kibana, APM Server, etc.) once the cipher list is updated.
What should I do if I have clients that are using outdated ciphers?
If there are many teams at your organization using various clients, we recommend sending them a note on the upcoming changes encouraging them to update their clients. If you still don’t know what to do, reach out to support@elastic.co.
How do I test which ciphers my clients support?
These changes are already in effect in the following regions, you can test your clients by creating a small test deployment in any one of these regions. If your deployments are in one of these regions only, the changes don’t impact you.
AWS
- af-south-1
- ca-central-1
- eu-north-1
- eu-south-1
- eu-west-3
- me-south-1
- ap-east-1
- ap-south-1
- ap-northeast-2
GCP
- asia-east1
- asia-northeast1
- asia-northeast3
- asia-southeast1
- australia-southeast1
- northamerica-northeast1
- southamerica-east1
- us-east1
- us-east4
- us-west2
What will happen if I do nothing?
The TLS handshake involves a client and a server negotiating a cipher supported by both parties. If you are running clients that support none of the ciphers that will be supported after the change, such clients will not be able to establish a connection with your Elasticsearch cluster or other Elastic Cloud endpoints (Kibana, APM Server, etc.), leading to downtime. We strongly recommend updating such clients.
All ESS customers will be contacted by email about these changes, we will send regular email reminders and status page updates closer to the dates when the changes will roll out.