Briefly, this error occurs when you try to enable SSL/TLS trust while running Elasticsearch in FIPS mode with the SunJSSE provider. SunJSSE doesn’t support FIPS mode, hence the error. To resolve this, you can switch to a FIPS 140-2 compliant SSL/TLS provider like Bouncy Castle FIPS (BCFIPS). Alternatively, you can disable FIPS mode if it’s not a requirement. Remember to properly configure your Elasticsearch and JVM settings when making these changes.
This guide will help you check for common problems that cause the log ” diagnostic messages for SSL/TLS trust cannot be enabled for SunJSSE in FIPS mode. ” to appear. To understand the issues related to this log, read the explanation below about the following Elasticsearch concepts: plugin.
Log Context
Log “diagnostic messages for SSL/TLS trust cannot be enabled for SunJSSE in FIPS mode.” classname is SSLService.java.
We extracted the following from Elasticsearch source code for those seeking an in-depth context :
private boolean shouldEnableDiagnoseTrust() {
// We disable the DiagnosticTrustManager in Java 8 when SunJSSE is set in FIPS 140 mode; as it doesn't allow X509TrustManager to be
// wrapped
if (inSunJsseInFipsMode()) {
logger.info("diagnostic messages for SSL/TLS trust cannot be enabled for SunJSSE in FIPS mode.");
return false;
} else if (XPackSettings.FIPS_MODE_ENABLED.get(settings) && DIAGNOSE_TRUST_EXCEPTIONS_SETTING.exists(settings) == false) {
logger.info("diagnostic messages for SSL/TLS trust failures are not enabled in FIPS 140 mode by default.");
return false;
} else {
