tag::ssl-certificate[] Specifies the path for the PEM encoded certificate (or certificate chain) that is associated with the key. + This setting can be used only if `ssl.key` is set. end::ssl-certificate[] tag::ssl-certificate-authorities[] List of paths to PEM encoded certificate files that should be trusted. + This setting and `ssl.truststore.path` cannot be used at the same time. end::ssl-certificate-authorities[] tag::ssl-cipher-suites-values[] Supported cipher suites vary depending on which version of Java you use. For example, for version 12 the default value is `TLS_AES_256_GCM_SHA384`, `TLS_AES_128_GCM_SHA256`, `TLS_CHACHA20_POLY1305_SHA256`, `TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384`, `TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256`, `TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384`, `TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256`, `TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256`, `TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256`, `TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384`, `TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256`, `TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384`, `TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256`, `TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA`, `TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA`, `TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA`, `TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA`, `TLS_RSA_WITH_AES_256_GCM_SHA384`, `TLS_RSA_WITH_AES_128_GCM_SHA256`, `TLS_RSA_WITH_AES_256_CBC_SHA256`, `TLS_RSA_WITH_AES_128_CBC_SHA256`, `TLS_RSA_WITH_AES_256_CBC_SHA`, `TLS_RSA_WITH_AES_128_CBC_SHA`. + For more information, see Oracle's https://docs.oracle.com/en/java/javase/11/security/oracle-providers.html#GUID-7093246A-31A3-4304-AC5F-5FB6400405E2[Java Cryptography Architecture documentation]. end::ssl-cipher-suites-values[] tag::ssl-cipher-suites-values-java11[] Supported cipher suites vary depending on which version of Java you use. For example, for version 11 the default value is `TLS_AES_256_GCM_SHA384`, `TLS_AES_128_GCM_SHA256`, `TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384`, `TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256`, `TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384`, `TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256`, `TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384`, `TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256`, `TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384`, `TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256`, `TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA`, `TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA`, `TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA`, `TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA`, `TLS_RSA_WITH_AES_256_GCM_SHA384`, `TLS_RSA_WITH_AES_128_GCM_SHA256`, `TLS_RSA_WITH_AES_256_CBC_SHA256`, `TLS_RSA_WITH_AES_128_CBC_SHA256`, `TLS_RSA_WITH_AES_256_CBC_SHA`, `TLS_RSA_WITH_AES_128_CBC_SHA`. + For more information, see Oracle's https://docs.oracle.com/en/java/javase/11/security/oracle-providers.html#GUID-7093246A-31A3-4304-AC5F-5FB6400405E2[Java Cryptography Architecture documentation]. end::ssl-cipher-suites-values-java11[] tag::ssl-key-pem[] Path to a PEM encoded file containing the private key. + If HTTP client authentication is required, it uses this file. You cannot use this setting and `ssl.keystore.path` at the same time. end::ssl-key-pem[] tag::ssl-key-passphrase[] The passphrase that is used to decrypt the private key. Since the key might not be encrypted, this value is optional. + You cannot use this setting and `ssl.secure_key_passphrase` at the same time. end::ssl-key-passphrase[] tag::ssl-keystore-key-password[] The password for the key in the keystore. The default is the keystore password. + You cannot use this setting and `ssl.keystore.secure_password` at the same time. //TBD: You cannot use this setting and `ssl.keystore.secure_key_password` at the same time. end::ssl-keystore-key-password[] tag::ssl-keystore-password[] The password for the keystore. //TBD: You cannot use this setting and `ssl.keystore.secure_password` at the same time. end::ssl-keystore-password[] tag::ssl-keystore-path[] The path for the keystore file that contains a private key and certificate. + It must be either a Java keystore (jks) or a PKCS#12 file. You cannot use this setting and `ssl.key` at the same time. //TBD: It must be either a Java keystore (jks) or a PKCS#12 file. //TBD: You cannot use this setting and `ssl.key` at the same time. end::ssl-keystore-path[] tag::ssl-keystore-secure-key-password[] The password for the key in the keystore. The default is the keystore password. //TBD: You cannot use this setting and `ssl.keystore.key_password` at the same time. end::ssl-keystore-secure-key-password[] tag::ssl-keystore-secure-password[] The password for the keystore. //TBD: You cannot use this setting and `ssl.keystore.password` at the same time. end::ssl-keystore-secure-password[] tag::ssl-keystore-type-pkcs12[] The format of the keystore file. It must be either `jks` or `PKCS12`. If the keystore path ends in ".p12", ".pfx", or ".pkcs12", this setting defaults to `PKCS12`. Otherwise, it defaults to `jks`. end::ssl-keystore-type-pkcs12[] tag::ssl-secure-key-passphrase[] The passphrase that is used to decrypt the private key. Since the key might not be encrypted, this value is optional. //TBD: You cannot use this setting and `ssl.key_passphrase` at the same time. end::ssl-secure-key-passphrase[] tag::ssl-supported-protocols[] Supported protocols with versions. Valid protocols: `SSLv2Hello`, `SSLv3`, `TLSv1`, `TLSv1.1`, `TLSv1.2`, `TLSv1.3`. If the JVM's SSL provider supports TLSv1.3, the default is `TLSv1.3,TLSv1.2,TLSv1.1`. Otherwise, the default is `TLSv1.2,TLSv1.1`. + {es} relies on your JDK’s implementation of SSL and TLS. View <> for more information. + -- NOTE: If `xpack.security.fips_mode.enabled` is `true`, you cannot use `SSLv2Hello` or `SSLv3`. See <>. -- end::ssl-supported-protocols[] tag::ssl-truststore-password[] The password for the truststore. + You cannot use this setting and `ssl.truststore.secure_password` at the same time. //TBD: You cannot use this setting and `ssl.truststore.secure_password` at the same time. end::ssl-truststore-password[] tag::ssl-truststore-path[] The path for the keystore that contains the certificates to trust. It must be either a Java keystore (jks) or a PKCS#12 file. + You cannot use this setting and `ssl.certificate_authorities` at the same time. //TBD: You cannot use this setting and `ssl.certificate_authorities` at the same time. end::ssl-truststore-path[] tag::ssl-truststore-secure-password[] Password for the truststore. //TBD: You cannot use this setting and `ssl.truststore.password` at the same time. end::ssl-truststore-secure-password[] tag::ssl-truststore-type[] The format of the truststore file. It must be either `jks` or `PKCS12`. If the file name ends in ".p12", ".pfx" or "pkcs12", the default is `PKCS12`. Otherwise, it defaults to `jks`. end::ssl-truststore-type[] tag::ssl-verification-mode-values[] Controls the verification of certificates. + Valid values are: * `full`, which verifies that the provided certificate is signed by a trusted authority (CA) and also verifies that the server's hostname (or IP address) matches the names identified within the certificate. * `certificate`, which verifies that the provided certificate is signed by a trusted authority (CA), but does not perform any hostname verification. * `none`, which performs _no verification_ of the server's certificate. This mode disables many of the security benefits of SSL/TLS and should only be used after very careful consideration. It is primarily intended as a temporary diagnostic mechanism when attempting to resolve TLS errors; its use on production clusters is strongly discouraged. + The default value is `full`. end::ssl-verification-mode-values[]