What version of TLS does SearchStax use?
Transport Layer Security (TLS) has periodic releases that improve security. Not everyone upgrades immediately to the latest release. For this reason, clients occasionally encounter a mismatch between the TLS version used by their local servers and that used by their SearchStax deployment.
Older SearchStax deployments used TLS 1.0. Some clients have elected to remain at that level. Current SearchStax deployments use TLS 1.1 and 1.2. A TLS mismatch can occur in situations like these:
- An older deployment using TLS 1.0 gets a SearchStax upgrade. The upgrade uses TLS 1.1 and 1.2 by default. Suddenly, the client's servers can't connect to the deployment.
- A client with older deployments (using TLS 1.0) elects to add a new deployment. The client's servers cannot connect to the new deployment even though all configuration details appear to be the same.
To determine which TLS versions are supported by your SearchStax deployment, use the nmap tool:
$ nmap --script ssl-enum-ciphers -Pn -p 443 ss234034-us-west-1-aws.searchstax.com Host is up (0.042s latency). ... PORT STATE SERVICE 443/tcp open https | ssl-enum-ciphers: | TLSv1.1: | ciphers: | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A | TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A | TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A | compressors: | NULL | cipher preference: server | TLSv1.2: | ciphers: | TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1) - A | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A | TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp256r1) - A | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A | TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A | TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A | TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A | TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A | TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A | TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A | compressors: | NULL | cipher preference: server |_ least strength: A Nmap done: 1 IP address (1 host up) scanned in 4.03 seconds
In the example above, this SearchStax deployment uses TLS version 1.1 and 1.2.
If you need to have the TLS version adjusted, contact the SearchStax Support Desk.
TLS 1.0 is deprecated!
Per PCI Standards, starting June 30, 2018, TLS 1.0 has been deprecated if your company wants to meet the PCI Data Security Standard (PCI DSS) for safeguarding payment data. TLS 1.1 is the minimum acceptable standard, and TLS 1.2 is stongly recommended. See Saying Goodbye to SSL/early TLS.
We love to answer questions!
Please contact the SearchStax Support Desk immediately if you have any question about Solr Cloud deployments.
Return to Frequently Asked Questions.