elasticsearch/docs/reference/settings/common-defs.asciidoc

tag::ssl-certificate[]
Specifies the path for the PEM encoded certificate (or certificate chain) that is
associated with the key.
//TBD: This setting can be used only if `ssl.key` is set.
end::ssl-certificate[]

tag::ssl-certificate-authorities[]
List of paths to PEM encoded certificate files that should be trusted.
//TBD: You cannot use this setting and `ssl.truststore.path` at the same time.
end::ssl-certificate-authorities[]

tag::ssl-cipher-suites-values[]
Supported cipher suites vary depending on which version of Java you use. For
example, for version 12 the default value is `TLS_AES_256_GCM_SHA384`,
`TLS_AES_128_GCM_SHA256`, `TLS_CHACHA20_POLY1305_SHA256`, 
`TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384`, `TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256`,
`TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384`, `TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256`,
`TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256`, `TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256`, 
`TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384`, `TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256`,
`TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384`, `TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256`,
`TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA`, `TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA`,
`TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA`, `TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA`,
`TLS_RSA_WITH_AES_256_GCM_SHA384`, `TLS_RSA_WITH_AES_128_GCM_SHA256`,
`TLS_RSA_WITH_AES_256_CBC_SHA256`, `TLS_RSA_WITH_AES_128_CBC_SHA256`,
`TLS_RSA_WITH_AES_256_CBC_SHA`, `TLS_RSA_WITH_AES_128_CBC_SHA`.
For more information, see Oracle's
https://docs.oracle.com/en/java/javase/11/security/oracle-providers.html#GUID-7093246A-31A3-4304-AC5F-5FB6400405E2[Java Cryptography Architecture documentation].
end::ssl-cipher-suites-values[]

tag::ssl-cipher-suites-values-java11[]
Supported cipher suites vary depending on which version of Java you use. For
example, for version 11 the default value is `TLS_AES_256_GCM_SHA384`,
`TLS_AES_128_GCM_SHA256`, `TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384`, 
`TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256`, `TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384`, 
`TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256`, `TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384`, 
`TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256`, `TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384`, 
`TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256`, `TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA`, 
`TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA`, `TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA`, 
`TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA`, `TLS_RSA_WITH_AES_256_GCM_SHA384`,
`TLS_RSA_WITH_AES_128_GCM_SHA256`, `TLS_RSA_WITH_AES_256_CBC_SHA256`,
`TLS_RSA_WITH_AES_128_CBC_SHA256`, `TLS_RSA_WITH_AES_256_CBC_SHA`,
`TLS_RSA_WITH_AES_128_CBC_SHA`. For more information, see Oracle's
https://docs.oracle.com/en/java/javase/11/security/oracle-providers.html#GUID-7093246A-31A3-4304-AC5F-5FB6400405E2[Java Cryptography Architecture documentation].
end::ssl-cipher-suites-values-java11[]

tag::ssl-key-pem[]
Path to a PEM encoded file containing the private key.
//TBD: You cannot use this setting and `ssl.keystore.path` at the same time.
end::ssl-key-pem[]

tag::ssl-key-passphrase[]
The passphrase that is used to decrypt the private key. Since the key might not
be encrypted, this value is optional.
//TBD: You cannot use this setting and `ssl.secure_key_passphrase` at the same time.
end::ssl-key-passphrase[]

tag::ssl-keystore-key-password[]
The password for the key in the keystore. The default is the keystore password.
//TBD: You cannot use this setting and `ssl.keystore.secure_key_password` at the same time.
end::ssl-keystore-key-password[]

tag::ssl-keystore-password[]
The password for the keystore.
//TBD: You cannot use this setting and `ssl.keystore.secure_password` at the same time.
end::ssl-keystore-password[]

tag::ssl-keystore-path[]
The path for the keystore file that contains a private key and certificate.
//TBD: It must be either a Java keystore (jks) or a PKCS#12 file.
//TBD: You cannot use this setting and `ssl.key` at the same time.
end::ssl-keystore-path[]

tag::ssl-keystore-secure-key-password[]
The password for the key in the keystore. The default is the keystore password.
//TBD: You cannot use this setting and `ssl.keystore.key_password` at the same time.
end::ssl-keystore-secure-key-password[]

tag::ssl-keystore-secure-password[]
The password for the keystore.
//TBD: You cannot use this setting and `ssl.keystore.password` at the same time.
end::ssl-keystore-secure-password[]

tag::ssl-keystore-type-pkcs12[]
The format of the keystore file. It must be either `jks` or `PKCS12`. If the
keystore path ends in ".p12", ".pfx", or ".pkcs12", this setting defaults 
to `PKCS12`. Otherwise, it defaults to `jks`.
end::ssl-keystore-type-pkcs12[]

tag::ssl-secure-key-passphrase[]
The passphrase that is used to decrypt the private key. Since the key might not
be encrypted, this value is optional. 
//TBD: You cannot use this setting and `ssl.key_passphrase` at the same time.
end::ssl-secure-key-passphrase[]

tag::ssl-supported-protocols[]
Supported protocols with versions. Valid protocols: `SSLv2Hello`,
`SSLv3`, `TLSv1`, `TLSv1.1`, `TLSv1.2`, `TLSv1.3`. If the JVM's SSL provider supports TLSv1.3,
the default is `TLSv1.3,TLSv1.2,TLSv1.1`. Otherwise, the default is
`TLSv1.2,TLSv1.1`.
+
--
NOTE: If `xpack.security.fips_mode.enabled` is `true`, you cannot use `SSLv2Hello` 
or `SSLv3`. See <<fips-140-compliance>>.

--
end::ssl-supported-protocols[]

tag::ssl-truststore-password[]
The password for the truststore.
//TBD: You cannot use this setting and `ssl.truststore.secure_password` at the same time.
end::ssl-truststore-password[]

tag::ssl-truststore-path[]
The path for the keystore that contains the certificates to trust. It must be
either a Java keystore (jks) or a PKCS#12 file.
//TBD: You cannot use this setting and `ssl.certificate_authorities` at the same time.
end::ssl-truststore-path[]

tag::ssl-truststore-secure-password[]
Password for the truststore.
//TBD: You cannot use this setting and `ssl.truststore.password` at the same time.
end::ssl-truststore-secure-password[]

tag::ssl-truststore-type[]
The format of the truststore file. It must be either `jks` or `PKCS12`. If the
file name ends in ".p12", ".pfx" or "pkcs12", the default is `PKCS12`.
Otherwise, it defaults to `jks`.
end::ssl-truststore-type[]

tag::ssl-truststore-type-pkcs11[]
The format of the truststore file. For the Java keystore format, use `jks`. For
PKCS#12 files, use `PKCS12`. For a PKCS#11 token, use `PKCS11`. The default is
`jks`.
end::ssl-truststore-type-pkcs11[]

tag::ssl-verification-mode-values[]
Valid values are:
- `full`, which verifies that the provided certificate is signed by a trusted
authority (CA) and also verifies that the server's hostname (or IP address)
matches the names identified within the certificate.
- `certificate`, which verifies that the provided certificate is signed by a
trusted authority (CA), but does not perform any hostname verification.
- `none`, which performs _no verification_ of the server's certificate. This
mode disables many of the security benefits of SSL/TLS and should only be used
after very careful consideration. It is primarily intended as a temporary
diagnostic mechanism when attempting to resolve TLS errors; its use on
production clusters is strongly discouraged.
+
The default value is `full`.
end::ssl-verification-mode-values[]
[DOCS] Adds common definitions for security settings (#51017) Co-Authored-By: Tim Vernum <tim@adjective.org> 2020-03-07 03:28:21 +08:00			`tag::ssl-certificate[]`
			`Specifies the path for the PEM encoded certificate (or certificate chain) that is`
			`associated with the key.`
			//TBD: This setting can be used only if `ssl.key` is set.
			`end::ssl-certificate[]`

			`tag::ssl-certificate-authorities[]`
			`List of paths to PEM encoded certificate files that should be trusted.`
			//TBD: You cannot use this setting and `ssl.truststore.path` at the same time.
			`end::ssl-certificate-authorities[]`

			`tag::ssl-cipher-suites-values[]`
			`Supported cipher suites vary depending on which version of Java you use. For`
			example, for version 12 the default value is `TLS_AES_256_GCM_SHA384`,
			`TLS_AES_128_GCM_SHA256`, `TLS_CHACHA20_POLY1305_SHA256`,
			`TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384`, `TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256`,
			`TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384`, `TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256`,
			`TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256`, `TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256`,
			`TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384`, `TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256`,
			`TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384`, `TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256`,
			`TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA`, `TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA`,
			`TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA`, `TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA`,
			`TLS_RSA_WITH_AES_256_GCM_SHA384`, `TLS_RSA_WITH_AES_128_GCM_SHA256`,
			`TLS_RSA_WITH_AES_256_CBC_SHA256`, `TLS_RSA_WITH_AES_128_CBC_SHA256`,
			`TLS_RSA_WITH_AES_256_CBC_SHA`, `TLS_RSA_WITH_AES_128_CBC_SHA`.
			`For more information, see Oracle's`
			`https://docs.oracle.com/en/java/javase/11/security/oracle-providers.html#GUID-7093246A-31A3-4304-AC5F-5FB6400405E2[Java Cryptography Architecture documentation].`
			`end::ssl-cipher-suites-values[]`

			`tag::ssl-cipher-suites-values-java11[]`
			`Supported cipher suites vary depending on which version of Java you use. For`
			example, for version 11 the default value is `TLS_AES_256_GCM_SHA384`,
			`TLS_AES_128_GCM_SHA256`, `TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384`,
			`TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256`, `TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384`,
			`TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256`, `TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384`,
			`TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256`, `TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384`,
			`TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256`, `TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA`,
			`TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA`, `TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA`,
			`TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA`, `TLS_RSA_WITH_AES_256_GCM_SHA384`,
			`TLS_RSA_WITH_AES_128_GCM_SHA256`, `TLS_RSA_WITH_AES_256_CBC_SHA256`,
			`TLS_RSA_WITH_AES_128_CBC_SHA256`, `TLS_RSA_WITH_AES_256_CBC_SHA`,
			`TLS_RSA_WITH_AES_128_CBC_SHA`. For more information, see Oracle's
			`https://docs.oracle.com/en/java/javase/11/security/oracle-providers.html#GUID-7093246A-31A3-4304-AC5F-5FB6400405E2[Java Cryptography Architecture documentation].`
			`end::ssl-cipher-suites-values-java11[]`

			`tag::ssl-key-pem[]`
			`Path to a PEM encoded file containing the private key.`
			//TBD: You cannot use this setting and `ssl.keystore.path` at the same time.
			`end::ssl-key-pem[]`

			`tag::ssl-key-passphrase[]`
			`The passphrase that is used to decrypt the private key. Since the key might not`
			`be encrypted, this value is optional.`
			//TBD: You cannot use this setting and `ssl.secure_key_passphrase` at the same time.
			`end::ssl-key-passphrase[]`

			`tag::ssl-keystore-key-password[]`
			`The password for the key in the keystore. The default is the keystore password.`
			//TBD: You cannot use this setting and `ssl.keystore.secure_key_password` at the same time.
			`end::ssl-keystore-key-password[]`

			`tag::ssl-keystore-password[]`
			`The password for the keystore.`
			//TBD: You cannot use this setting and `ssl.keystore.secure_password` at the same time.
			`end::ssl-keystore-password[]`

			`tag::ssl-keystore-path[]`
			`The path for the keystore file that contains a private key and certificate.`
			`//TBD: It must be either a Java keystore (jks) or a PKCS#12 file.`
			//TBD: You cannot use this setting and `ssl.key` at the same time.
			`end::ssl-keystore-path[]`

			`tag::ssl-keystore-secure-key-password[]`
			`The password for the key in the keystore. The default is the keystore password.`
			//TBD: You cannot use this setting and `ssl.keystore.key_password` at the same time.
			`end::ssl-keystore-secure-key-password[]`

			`tag::ssl-keystore-secure-password[]`
			`The password for the keystore.`
			//TBD: You cannot use this setting and `ssl.keystore.password` at the same time.
			`end::ssl-keystore-secure-password[]`

			`tag::ssl-keystore-type-pkcs12[]`
			The format of the keystore file. It must be either `jks` or `PKCS12`. If the
			`keystore path ends in ".p12", ".pfx", or ".pkcs12", this setting defaults`
			to `PKCS12`. Otherwise, it defaults to `jks`.
			`end::ssl-keystore-type-pkcs12[]`

			`tag::ssl-secure-key-passphrase[]`
			`The passphrase that is used to decrypt the private key. Since the key might not`
			`be encrypted, this value is optional.`
			//TBD: You cannot use this setting and `ssl.key_passphrase` at the same time.
			`end::ssl-secure-key-passphrase[]`

			`tag::ssl-supported-protocols[]`
			Supported protocols with versions. Valid protocols: `SSLv2Hello`,
			`SSLv3`, `TLSv1`, `TLSv1.1`, `TLSv1.2`, `TLSv1.3`. If the JVM's SSL provider supports TLSv1.3,
			the default is `TLSv1.3,TLSv1.2,TLSv1.1`. Otherwise, the default is
			`TLSv1.2,TLSv1.1`.
			`+`
			`--`
			NOTE: If `xpack.security.fips_mode.enabled` is `true`, you cannot use `SSLv2Hello`
			or `SSLv3`. See <<fips-140-compliance>>.

			`--`
			`end::ssl-supported-protocols[]`

			`tag::ssl-truststore-password[]`
			`The password for the truststore.`
			//TBD: You cannot use this setting and `ssl.truststore.secure_password` at the same time.
			`end::ssl-truststore-password[]`

			`tag::ssl-truststore-path[]`
			`The path for the keystore that contains the certificates to trust. It must be`
			`either a Java keystore (jks) or a PKCS#12 file.`
			//TBD: You cannot use this setting and `ssl.certificate_authorities` at the same time.
			`end::ssl-truststore-path[]`

			`tag::ssl-truststore-secure-password[]`
			`Password for the truststore.`
			//TBD: You cannot use this setting and `ssl.truststore.password` at the same time.
			`end::ssl-truststore-secure-password[]`

			`tag::ssl-truststore-type[]`
			The format of the truststore file. It must be either `jks` or `PKCS12`. If the
			file name ends in ".p12", ".pfx" or "pkcs12", the default is `PKCS12`.
			Otherwise, it defaults to `jks`.
			`end::ssl-truststore-type[]`

			`tag::ssl-truststore-type-pkcs11[]`
			The format of the truststore file. For the Java keystore format, use `jks`. For
			PKCS#12 files, use `PKCS12`. For a PKCS#11 token, use `PKCS11`. The default is
			`jks`.
			`end::ssl-truststore-type-pkcs11[]`

			`tag::ssl-verification-mode-values[]`
			`Valid values are:`
			- `full`, which verifies that the provided certificate is signed by a trusted
			`authority (CA) and also verifies that the server's hostname (or IP address)`
			`matches the names identified within the certificate.`
			- `certificate`, which verifies that the provided certificate is signed by a
			`trusted authority (CA), but does not perform any hostname verification.`
			- `none`, which performs _no verification_ of the server's certificate. This
			`mode disables many of the security benefits of SSL/TLS and should only be used`
			`after very careful consideration. It is primarily intended as a temporary`
			`diagnostic mechanism when attempting to resolve TLS errors; its use on`
			`production clusters is strongly discouraged.`
			`+`
			The default value is `full`.
			`end::ssl-verification-mode-values[]`