Elasticsearch relies on your JDK’s implementation of SSL and TLS.
Different JDK versions support different versions of SSL, and this may affect how Elasticsearch operates.
This support applies when running on the default JSSE provider in the JDK. JVMs that are configured to use a FIPS 140-2 security provider might have a custom TLS implementation, which might support TLS protocol versions that differ from this list.
Check your security provider’s release notes for information on TLS support.
- SSL v3 is supported on all Elasticsearch compatible JDKs but is disabled by default. See Enabling additional SSL/TLS versions on your JDK.
- TLS v1.0 is supported on all Elasticsearch compatible JDKs. Some newer JDKs, including the JDK bundled with Elasticsearch, disable TLS v1.0 by default. See Enabling additional SSL/TLS versions on your JDK.
- TLS v1.1 is supported on all Elasticsearch compatible JDKs. Some newer JDKs, including the JDK bundled with Elasticsearch, disable TLS v1.1 by default. See Enabling additional SSL/TLS versions on your JDK.
- TLS v1.2 is supported on all Elasticsearch compatible JDKs. It is enabled by default on all JDKs that are supported by Elasticsearch, including the bundled JDK.
TLS v1.3 is supported on JDK11 and later, and JDK8 builds newer than 8u261 (including the most recent release of each JDK8 distribution that Elasticsearch supports). TLS v1.3 is supported and enabled by default on the JDK that is bundled with Elasticsearch.
Although Elasticsearch supports running on older JDK8 builds without TLS v1.3, we recommend upgrading to a JDK version that includes TLS v1.3 for better support and updates.
The set of supported SSL/TLS versions for a JDK is controlled by a java security properties file that is installed as part of your JDK.
This configuration file lists the SSL/TLS algorithms that are disabled in that JDK. Complete these steps to remove a TLS version from that list and use it in your JDK.
- Locate the configuration file for your JDK.
jdk.tls.disabledAlgorithmssetting from that file, and add it to a custom configuration file within the Elasticsearch configuration directory.
In the custom configuration file, remove the value for the TLS version you want
to use from
- Configure Elasticsearch to pass a custom system property to the JDK so that your custom configuration file is used.
For the Elasticsearch bundled JDK, the configuration file is in a sub directory of
the Elasticsearch home directory (
For JDK8, the configuration file is within the
of the Java installation.
$JAVA_HOME points to the home directory of the JDK that you use to run Elasticsearch,
then the configuration file will be in:
For JDK11 or later, the configuration file is within the
directory of the Java installation.
$JAVA_HOME points to the home directory of the JDK that you use to run
Elasticsearch, then the configuration file will be in:
Within the JDK configuration file is a line that starts with
This setting controls which protocols and algorithms are disabled in your JDK.
The value of that setting will typically span multiple lines.
For example, in OpenJDK 16 the setting is:
jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, DES, MD5withRSA, \ DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL
Create a new file in your in your Elasticsearch configuration directory named
jdk.tls.disabledAlgorithms setting from the JDK’s default configuration file into
You do not need to copy any other settings.
es.java.security file in your Elasticsearch configuration directory, and
jdk.tls.disabledAlgorithms setting so that any SSL or TLS versions
that you wish to use are no longer listed.
For example, to enable TLSv1.1 on OpenJDK 16 (which uses the
jdk.tls.disabledAlgorithms settings shown previously), the
es.java.security file would contain the previously disabled TLS algorithms
jdk.tls.disabledAlgorithms=SSLv3, TLSv1, RC4, DES, MD5withRSA, \ DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL
To enable your custom security policy, add a file in the
directory within your Elasticsearch configuration directory.
To enable your custom security policy, create a file named
java.security.options within the jvm.options.d
directory of your Elasticsearch configuration directory, with this content:
SSL/TLS versions can be enabled and disabled within Elasticsearch via the
Elasticsearch will only support the TLS versions that are enabled by the
underlying JDK. If you configure
ssl.supported_procotols to include a TLS version that is not enabled in your
JDK, then it will be silently ignored.
Similarly, a TLS version that is enabled in your JDK, will not be used unless
it is configured as one of the
ssl.supported_protocols in Elasticsearch.