Transport Layer Security (TLS) has periodic releases that improve security. Not everyone upgrades immediately to the latest release. For this reason, clients occasionally encounter a mismatch between the TLS version used by their local servers and that used by their SearchStax deployment.
Older SearchStax deployments used TLS 1.0. Some clients have elected to remain at that level. Current SearchStax deployments use TLS 1.1 and 1.2. A TLS mismatch can occur in situations like these:
- An older deployment using TLS 1.0 gets a SearchStax upgrade. The upgrade uses TLS 1.1 and 1.2 by default. Suddenly, the client’s servers can’t connect to the deployment.
- A client with older deployments (using TLS 1.0) elects to add a new deployment. The client’s servers cannot connect to the new deployment even though all configuration details appear to be the same.
To determine which TLS versions are supported by your SearchStax deployment, use the nmap tool:
$ nmap --script ssl-enum-ciphers -Pn -p 443 ss123456-us-west-1-aws.searchstax.com Host is up (0.042s latency). ... PORT STATE SERVICE 443/tcp open https | ssl-enum-ciphers: | TLSv1.1: | ciphers: | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A | TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A | TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A | compressors: | NULL | cipher preference: server | TLSv1.2: | ciphers: | TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1) - A | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A | TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp256r1) - A | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A | TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A | TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A | TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A | TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A | TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A | TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A | compressors: | NULL | cipher preference: server |_ least strength: A Nmap done: 1 IP address (1 host up) scanned in 4.03 seconds
In the example above, this SearchStax deployment uses TLS version 1.1 and 1.2.
If you need to have the TLS version adjusted, contact the SearchStax Support Desk.
TLS 1.0 is deprecated!
Per PCI Standards, starting June 30, 2018, TLS 1.0 has been deprecated if your company wants to meet thePCI Data Security Standard (PCI DSS) for safeguarding payment data. TLS 1.1 is the minimum acceptablestandard, and TLS 1.2 is stongly recommended. See Saying Goodbye to SSL/early TLS.