Logstash mysteriously returns connection reset when connecting to a HTTPS elasticsearch endpoint

I was on a wild goose chase today because connections to a newly setup elasticsearch fronted by nginx were failing from Logstash with error ‘Connection reset’. I was absolutely certain that the host trying to make a connection could connect. curl -v https://example.com/elasticsearch worked. For some reason Logstash could not connect. I assumed I wasn’t setting some elasticsearch plugin parameters correctly.

[root@ip-172-10-1-246 conf.d]# /etc/init.d/logstash configtest
Mar 21, 2016 4:42:31 PM org.apache.http.impl.execchain.RetryExec execute
INFO: I/O exception (java.net.SocketException) caught when processing request to {s}->https://es.example.com:443: Connection reset
Mar 21, 2016 4:42:31 PM org.apache.http.impl.execchain.RetryExec execute
INFO: Retrying request to {s}->https://es.example.com:443
Mar 21, 2016 4:42:31 PM org.apache.http.impl.execchain.RetryExec execute
INFO: I/O exception (java.net.SocketException) caught when processing request to {s}->https://es.example.com:443: Connection reset
Mar 21, 2016 4:42:31 PM org.apache.http.impl.execchain.RetryExec execute
INFO: Retrying request to {s}->https://es.example.com:443
Mar 21, 2016 4:42:31 PM org.apache.http.impl.execchain.RetryExec execute
INFO: I/O exception (java.net.SocketException) caught when processing request to {s}->https://es.example.com:443: Connection reset
Mar 21, 2016 4:42:31 PM org.apache.http.impl.execchain.RetryExec execute
INFO: Retrying request to {s}->https://es.example.com:443
Connection reset {:class=>"Manticore::SocketException", :level=>:error}
Configuration OK

After hours of trial and elimination, I had it narrowed down to the JVM that was running logstash. It turns out, support for TLSv2 in OpenJDK 1.7 is not enabled by default. Adding -Dhttp.protocols=TLSv2 to java startup parameters does not help either. Upgrading to OpenJDK version 1.8 worked for me. I hope this quick note helps save time for someone.

References