Supporting ssl handshake with SSLv2 and SSLv3 protocols where TLS 1.0 - 1.3 cannot be implemented
Old versions of Java 6 or older and very early versions of Java 7 may not support strong encryption protocols like TLS 1.0 -1.3.
Most systems nowadays require use of stronger encryption protocols than SSLv2 or SSLv3 and actually prevent successful SSL handshakes using these old protocols during negotiation.
Although it is not ideal to make use of these older, less safe, protocols, it would still be better to implement some encryption than no encrypted connections at all.
We have observed scenarios where old Java versions in use by applications prevented successful handshakes from the Agent to Elasticsearch. By default, the installation and configuration of Elasticsearch with Portal Dedicated only supports TLS and not these older protocols.
If you see any issue where the Portal Dedicated UI reports that some of your Agents cannot connect to Elasticsearch and you suspect that the Agent application is running these older versions of Java, please check your "mc.log". You may see entries when these Agents try to connect and that the protocol they are trying to connect with is not supported. It will also state the protocol that is being attempted by the Agent.
In such a scenario, you could reconfigure Elasticsearch to allow connections attempted e.g."SSLv3HELLO". You would firstly have to change the JDK behaviour by adding the identified protocol that the Agent is attempting to use to the list of allowed protocols in your java security policy file. Secondly, you would also have to add support for these protocols in the readonlyrest.yml configuration file for allowing connections using these protocols. Finally, a restart of Elasticsearch should resolve the situation and allow the Agent to connect successfully.