Diagnostic messages for SSL TLS trust cannot be enabled for SunJSSE in FIPS mode – How to solve this Elasticsearch error

Opster Team

Aug-23, Version: 7.7-7.17

Briefly, this error occurs when you try to enable SSL/TLS trust while running Elasticsearch in FIPS mode with the SunJSSE provider. SunJSSE doesn’t support FIPS mode, hence the error. To resolve this, you can switch to a FIPS 140-2 compliant SSL/TLS provider like Bouncy Castle FIPS (BCFIPS). Alternatively, you can disable FIPS mode if it’s not a requirement. Remember to properly configure your Elasticsearch and JVM settings when making these changes.

This guide will help you check for common problems that cause the log ” diagnostic messages for SSL/TLS trust cannot be enabled for SunJSSE in FIPS mode. ” to appear. To understand the issues related to this log, read the explanation below about the following Elasticsearch concepts: plugin.

Log Context

Log “diagnostic messages for SSL/TLS trust cannot be enabled for SunJSSE in FIPS mode.” classname is SSLService.java.
We extracted the following from Elasticsearch source code for those seeking an in-depth context :

    private boolean shouldEnableDiagnoseTrust() {
        // We disable the DiagnosticTrustManager in Java 8 when SunJSSE is set in FIPS 140 mode; as it doesn't allow X509TrustManager to be
        // wrapped
        if (inSunJsseInFipsMode()) {
            logger.info("diagnostic messages for SSL/TLS trust cannot be enabled for SunJSSE in FIPS mode.");
            return false;
        } else if (XPackSettings.FIPS_MODE_ENABLED.get(settings) && DIAGNOSE_TRUST_EXCEPTIONS_SETTING.exists(settings) == false) {
            logger.info("diagnostic messages for SSL/TLS trust failures are not enabled in FIPS 140 mode by default.");
            return false;
        } else {

 

 [ratemypost]