Upcoming Security Update: Enforcing HTTPS and TLS 1.2 on Search Domains

We’re updating all managed Elasticsearch and OpenSearch domains to enforce HTTPS and require TLS 1.2 for client connections. This change improves security and aligns with upcoming AWS platform updates.
Upcoming Security Update: Enforcing HTTPS and TLS 1.2 on Search Domains
Developer TopicsUpdates
Lucy Linder
Lucy Linder

Lucy Linder

Team Lead Site Reliability Engineer

We’re updating the configuration of all managed Elasticsearch and OpenSearch domains to align with AWS platform changes and maintain strong security standards. This update applies to all customers using Enterprise Cloud and Open Cloud.

On April 13, 2026, we will enforce HTTPS and set the minimum TLS version to 1.2 for client connections to the search engines.

What’s Changing?

We are applying two specific updates to all Elasticsearch and OpenSearch domain endpoints:

  1. Enforce HTTPS: Any requests made over plain HTTP (port 80) will be rejected.

  2. TLS Security Policy: The minimum supported TLS version will be updated to TLS 1.2 (Policy-Min-TLS-1-2-PFS-2023-10). Support for TLS 1.0 and 1.1 will be disabled.

Will There Be Downtime?

No downtime is expected. This is a metadata and configuration update to the domain's network endpoint. It does not require restarting nodes or migrating data.

While the update is being applied, the clusters remain fully operational. However, as with any network configuration change, we recommend:

  • Application Retries: Ensure your client applications have standard retry logic to handle any brief (sub-second) connection blips during the transition.

Action Required on Your End

Please verify the following immediately to ensure uninterrupted service:

  1. Use HTTPS: Confirm all your client applications are connecting using https:// and port 443. Connections using http:// or port 80 will fail after this change.

  2. Verify TLS 1.2 Support: Ensure the environment running your client application (OS, Python version, and OpenSSL library) supports TLS 1.2. Modern environments (e.g., Python 3.7+ on a supported OS) generally handle this automatically.

How to Test Your Client (Python)

If you use the elasticsearch-py or opensearch-py library, you can pass the ssl-context parameter on the client constructor to check if your client can successfully negotiate a TLS 1.2 connection before the scheduled change.

Example of forcing TLS 1.2 with elasticsearch-py:

import ssl

context = ssl.create_default_context()
context.minimum_version = ssl.TLSVersion.TLSv1_2
context.maximum_version = ssl.TLSVersion.TLSv1_2
client = elasticsearch.Elasticsearch(
    ...
    use_ssl=True,
    ssl_context=context,
)

If you are using elasticsearch-py, you can verify your environment's compatibility by running the snippet below within your application’s Django shell (python manage.py shell). If this connection succeeds (even if you get a 403 authorization error from AWS), your TLS negotiation is working correctly.

Important: Before running the script, ensure you read and potentially update the “connection information” section at the top of the snippet!

import os
import re
import ssl

from urllib.parse import unquote

import elasticsearch

from requests_aws4auth import AWS4Auth

DEFAULT_HAYSTACK_URL = os.environ.get("DEFAULT_HAYSTACK_URL")

# 👇👇
## Connection information
# If you do not use the usual DEFAULT_HAYSTACK_URL, you have to change the code.

if DEFAULT_HAYSTACK_URL:
    # Get info from the DEFAULT_HAYSTACK_URL environment variable
    aws_access_key, aws_secret_key, host, _ = re.match(
        ".*://(.*):(.*)@(search-[^/]+)/(.*)", DEFAULT_HAYSTACK_URL
    ).groups()

    aws_secret_key = unquote(aws_secret_key)
    aws_region = host.split(".")[1]
else:
    # 🔺 manual values here
    aws_access_key = "<ACCESS_KEY_ID>"
    aws_secret_key = "<SECRET_ACCESS_KEY>"
    host = "<HOST>"
    aws_region = "<REGION>"
# 👆👆

## Setup TLS 1.2 Forced Context
context = ssl.create_default_context()
context.minimum_version = ssl.TLSVersion.TLSv1_2
context.maximum_version = ssl.TLSVersion.TLSv1_2
# Initialize the Client

client = elasticsearch.Elasticsearch(
    hosts=[{"host": host, "port": 443}],
    http_auth=AWS4Auth(
        aws_access_key,
        aws_secret_key,
        aws_region,
        "es",
    ),
    use_ssl=True,
    verify_certs=True,
    connection_class=elasticsearch.RequestsHttpConnection,
    ssl_context=context,
)

try:
    client.info()
    print("✅ Success: TLS 1.2 Handshake and Authentication passed.")
except elasticsearch.exceptions.AuthorizationException:
    print("✅ Success: TLS 1.2 Handshake passed (403 Forbidden as expected).")

except elasticsearch.exceptions.SSLError as e:
    print(
        f"❌ Failed: TLS 1.2 is not supported by your client environment! SSL error: {e}"
    )

except Exception as e:
    print(f"❓ Unexpected error: {e}")

If you have any questions or would like help validating your setup, feel free to reach out to our support team. We’re happy to help.

Not yet on Divio? Start a free 30-day trial and explore the platform with the latest managed services built in. 

Back to Overview