Diagnostic messages for SSL TLS trust failures are not enabled in FIPS 140 mode by default – How to solve this Elasticsearch error

Opster Team

Aug-23, Version: 7.6-7.17

Briefly, this error occurs when Elasticsearch is running in FIPS 140 mode, a security standard for cryptographic modules, and the diagnostic messages for SSL/TLS trust failures are not enabled. This can make it difficult to troubleshoot SSL/TLS issues. To resolve this, you can enable these diagnostic messages by setting the system property “xpack.security.fips_mode.enabled” to “true”. Alternatively, you can disable FIPS 140 mode if it’s not required for your use case. Always ensure to follow security best practices when making these changes.

This guide will help you check for common problems that cause the log ” diagnostic messages for SSL/TLS trust failures are not enabled in FIPS 140 mode by default. ” to appear. To understand the issues related to this log, read the explanation below about the following Elasticsearch concepts: plugin.

Log Context

Log “diagnostic messages for SSL/TLS trust failures are not enabled in FIPS 140 mode by default.” classname is SSLService.java.
We extracted the following from Elasticsearch source code for those seeking an in-depth context :

        // wrapped
        if (inSunJsseInFipsMode()) {
            logger.info("diagnostic messages for SSL/TLS trust cannot be enabled for SunJSSE in FIPS mode.");
            return false;
        } else if (XPackSettings.FIPS_MODE_ENABLED.get(settings) && DIAGNOSE_TRUST_EXCEPTIONS_SETTING.exists(settings) == false) {
            logger.info("diagnostic messages for SSL/TLS trust failures are not enabled in FIPS 140 mode by default.");
            return false;
        } else {
            return DIAGNOSE_TRUST_EXCEPTIONS_SETTING.get(settings);
        }
    }

 

 [ratemypost]