Transport Layer Security (TLS) has periodic releases that improve security. Older versions reach end-of-life and have to be phased out. SearchStax Managed Search service will phase out TLS 1.0 and 1.1 on November 8, 2022.
A server can have multiple TLS releases active at the same time. When a remote client makes a connection with a SearchStax server, the two computers negotiate to find a TLS version that they have in common. If there is no TLS in common, the connection fails.
TLS 1.0 and 1.1 have been in service a long time. They are no longer considered secure, so we are removing them from our servers.
Therefore, the “TLS 1.2 Upgrade” isn’t about adding TLS 1.2 to our servers. It’s about removing TLS versions older than 1.2.
Somewhere, that’s going to cause trouble for a client computer that never had 1.2 installed. These “upgrade” episodes let you verify your ability to connect on “dev” or “qa” deployments before having TLS 1.0 and 1.1 suddenly stop working in your production system.
SearchStax deployments will all use TLS 1.2 as a minimum. Clusters and some single-node deployments also use TLS 1.3. Eventually, all will have both 1.2 and 1.3.
To determine which TLS versions are supported by your SearchStax deployment, open a Linux Bash window and use the nmap tool:
$ nmap --script ssl-enum-ciphers -Pn -p 443 ss123456-us-west-1-aws.searchstax.com Host is up (0.042s latency). ... PORT STATE SERVICE 443/tcp open https | ssl-enum-ciphers: | TLSv1.2: | ciphers: | TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1) - A | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A | TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp256r1) - A | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A | TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A | TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A | TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A | TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A | TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A | TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A | compressors: | NULL | cipher preference: server |_ least strength: A Nmap done: 1 IP address (1 host up) scanned in 4.03 seconds
In the example above, this SearchStax deployment uses TLS version 1.2.
Note that the nmap tool cannot reach inside a VNET. You can ask SearchStax Support to run it for you.
With individual nodes, we expect a downtime of a few seconds (usually) to a few minutes (rarely). We upgrade clusters in a rolling manner, so users don’t notice any downtime.
In most cases, there is nothing that you need to do at your end.
If you need to have the TLS upgrade, contact the SearchStax Support Desk.
Questions?
Do not hesitate to contact the SearchStax Support Desk.