Version: 6.x-21
This is an older version of Search Guard. Switch to Latest version
Community

OpenSSL setup

Search Guard supports OpenSSL. Using OpenSSL will result in better performance and better support for strong and modern cipher suites when compared JCE. We recommend to use OpenSSL for production systems.

Dynamically linked

(Open SSL and Apache Portable Runtime (apr) needs to be installed)

  • If you are on Alpine Linux please refer to this post. We recommend to use our statically linked version below because Alpine comes normally with LibreSSL instead of OpenSSL installed. LibreSSL may work but is not officially supported and untested. Also make sure you have installed ‘libuuid’ on Alpine accoring to this post.

  • Open SSL on Windows may work but is not officially supported and untested. Refer to netty-tcnative wiki for more infos.

  • Install latest 1.0.2 OpenSSL version on every node (1.0.1 does also work but is outdated and may lack hostname validation functionality). OpenSSL 1.1.0 is supported for ES >= 6.5.0. OpenSSL 1.1.1 is not supported currently.
  • Install APR - Apache Portable Runtime on every node
    • https://apr.apache.org
    • On Debian/Ubuntu, Apache Portable Runtime can be installed with sudo apt-get install libapr1
    • On RHEL/CentOS/Fedora, Apache Portable Runtime can be installed with sudo yum install apr
  • Download netty-tcnative for your platform and Search Guard version
    • Linux (non fedora based): _linux-x86_64.jar_ (Debian, Ubuntu, …)
    • Fedora based linux: _linux-x86_64-fedora.jar_ (RHEL, CentOS, Fedora)
    • Mac: _osx-x86_64.jar_
    • Windows: _windows-x86_64.jar_
    • Alpine: Compile it yourself (or use statically linked version below)
  • Search Guard 6.5.x and higher (Open SSL 1.1.0):
  • Search Guard 6.2.x,6.3.x,6.4.x (Open SSL 1.0.1):
    • Version: 2.0.7.Final (compiled against Open SSL 1.0.1 which lacks hostname validation)
    • http://repo1.maven.org/maven2/io/netty/netty-tcnative/2.0.7.Final
    • Choose the correct version for you platform, one of _linux-x86_64.jar_, _linux-x86_64-fedora.jar_, _osx-x86_64.jar_ or _windows-x86_64.jar_
    • Put it into the elasticsearch plugins/search-guard-6/ folder on every node
  • Search Guard 6.2.x,6.3.x,6.4.x (Open SSL 1.0.2):
  • Search Guard 6.1.x (Open SSL 1.0.2):
  • Search Guard 6.1.x (Open SSL 1.0.1):
    • Version: 2.0.5.Final (compiled against Open SSL 1.0.1 which lacks hostname validation)
    • http://repo1.maven.org/maven2/io/netty/netty-tcnative/2.0.5.Final
    • Choose the correct version for you platform, one of _linux-x86_64.jar_, _linux-x86_64-fedora.jar_, _osx-x86_64.jar_ or _windows-x86_64.jar_
    • Put it into the elasticsearch plugins/search-guard-6/ folder on every node

If you update the plugin (or re-install it after removal) don’t forget to add netty-tcnative .jar again

Statically linked (Linux only)

(Does not need Open SSL/Apache Portable Runtime (apr) to be installed on the server)

If you update the plugin (or re-install it after removal) don’t forget to add netty-tcnative .jar again

LibreSSL

May work well but not officially supported. We have a few static builds here but only consider to use them if you run in trouble with OpenSSL.

BoringSSL

May work well but not officially supported. Binaries are provided here by the netty project.


Not what you were looking for? Try the search.