News

Changes to support for ciphers used to connect to Elasticsearch Service

At Elastic Cloud we are committed to offering our customers the most secure way to run their workloads in the cloud. With the goal of being “secure by default,” we are deprecating ciphers that are considered weak and insecure. Going forward, we will only support ciphers that are included in the Mozilla intermediate list. These changes will take effect after January 30, 2022. We will communicate a precise date closer to the change.

What are the changes?

We are updating the list of ciphers supported for clients connecting to their Elasticsearch clusters, Kibana, or other components on Elasticsearch Service. The changes are basically on two fronts:

  • We will deprecate certain ciphers that are considered weak by modern encryption standards. The ciphers we are going to stop supporting in all regions are: 
    • ECDHE-ECDSA-AES128-SHA
    • ECDHE-RSA-AES128-SHA
    • ECDHE-ECDSA-AES256-SHA
    • ECDHE-RSA-AES256-SHA
    • ECDHE-RSA-DES-CBC3-SHA
    • AES128-GCM-SHA256
    • AES256-GCM-SHA384
    • AES128-SHA256
    • AES128-SHA
    • AES256-SHA1
    • DES-CBC3-SHA
  • We are only going to support the ciphers that are included in the Mozilla intermediate list of ciphers and are considered a security best practice:
    • ECDHE-RSA-AES128-GCM-SHA256
    • ECDHE-ECDSA-AES256-GCM-SHA384
    • ECDHE-RSA-AES256-GCM-SHA384
    • ECDHE-ECDSA-CHACHA20-POLY1305
    • ECDHE-RSA-CHACHA20-POLY1305
    • ECDHE-RSA-AES-128-CBC-SHA
    • ECDHE-ECDSA-AES128-SHA256
    • ECDHE-RSA-AES128-SHA256

What is the impact on me?

If you use clients that do not currently support at least one of the ciphers from the list of ciphers to be supported, you will need to update your clients to do so. This is important to be able to communicate with your cluster or any endpoints on Elastic Cloud (Kibana, APM Server, etc.) once the cipher list is updated.

What should I do if I have clients that are using outdated ciphers?

If there are many teams at your organization using various clients, we recommend sending them a note on the upcoming changes encouraging them to update their clients. If you still don’t know what to do, reach out to support@elastic.co.  

What will happen if I do nothing?

The TLS handshake involves a client and a server negotiating a cipher supported by both parties. If you are running clients that support none of the ciphers that will be supported after the change, such clients will not be able to establish a connection with your Elasticsearch cluster or other Elastic Cloud endpoints (Kibana, APM Server, etc.), leading to downtime. We strongly recommend updating such clients.

What are the other steps Elastic will take to avoid outages?

We are planning to do a test run a few weeks before the final change, and will post the details on our status page a week before the test run. The test run should help you identify clients that you might have missed upgrading. 

All ESS customers will be contacted by email about these changes, we will send regular email reminders and status page updates closer to the dates when the changes will roll out.