Can we disable Transport Layer TLS?

[10000-ki]

Hi! I'm a user who really loves opensearch

I have one request.

https://opensearch.org/docs/latest/security/configuration/tls/#transport-layer-tls

TLS is optional for the REST layer and mandatory for the transport layer.

Transport layer tls is mandatory with a security plugin

But this can have a performance impact
In a cluster of internally secure situations, we don't have to use it

Can we use Transport Layer TLS optionally?

[peternied]

@10000-ki This is a great question for our forums [1], can you repost your question over there?

By posting in our forms it helps make answers discoverable by search engines and has a community of developers, cluster admins, and users. I'm going to close out this issue.

• [1] https://forum.opensearch.org/c/security/3

[pawelw1]

@peternied As per documentation the TLS at the transport layer is mandatory by design. I assume this is a feature request to make the transport layer TLS optional.
There was a similar discussion already in the OpenDistro but it was closed and wasn't continued in the OpenSearch.
#37

[peternied]

@pawelw1 So yes the documentation does say that about transport layer; however, v2.0.0's release the transport layer and the rest communication layers were merged. So this features area is ambiguous.

[pawelw1]

@peternied In v2.0.0 only client authentication/authorization has been deprecated in the Transport layer and moved to the REST layer (9200). OpenSearch nodes are still using the Transport layer with TLS to communicate with each other.

#1701

[10000-ki]

I assume this is a feature request to make the transport layer TLS optional.

yes right

[10000-ki]

When using a private internal network, not an external network
There are cases where it's enough to apply tls to the REST layer