[DOCS] Add notes on SSL version by JDK version (#73401)

Recent JDK releases have disabled TLS v1.0 and TLS v1.1 by default

See
 - https://java.com/en/jre-jdk-cryptoroadmap.html
 - https://bugs.openjdk.java.net/browse/JDK-8202343

This change adds documentation clarifying which TLS versions are
supported on which JDKs (in general terms, rather than specific builds)
and how to change the configuration if necessary.

Co-authored-by: Adam Locke <adam.locke@elastic.co>

docs/reference/settings/common-defs.asciidoc

@@ -111,6 +111,9 @@ Supported protocols with versions. Valid protocols: `SSLv2Hello`,
 the default is `TLSv1.3,TLSv1.2,TLSv1.1`. Otherwise, the default is
 `TLSv1.2,TLSv1.1`.
 +
+{es} relies on your JDK’s implementation of SSL and TLS.
+View <<jdk-tls-versions>> for more information.
++
 --
 NOTE: If `xpack.security.fips_mode.enabled` is `true`, you cannot use `SSLv2Hello`
 or `SSLv3`. See <<fips-140-compliance>>.

x-pack/docs/en/security/configuring-stack-security.asciidoc

@@ -75,5 +75,6 @@ include::securing-communications/security-basic-setup.asciidoc[]
 include::securing-communications/security-basic-setup-https.asciidoc[]
 include::securing-communications/configuring-tls-docker.asciidoc[]
 include::securing-communications/enabling-cipher-suites.asciidoc[]
+include::securing-communications/tls-versions-jdk.asciidoc[]
 include::reference/files.asciidoc[]
 include::fips-140-compliance.asciidoc[]

x-pack/docs/en/security/securing-communications/tls-versions-jdk.asciidoc

@@ -0,0 +1,146 @@
+[role="xpack"]
+[[jdk-tls-versions]]
+=== Supported SSL/TLS versions by JDK version
+
+{es} relies on your JDK's implementation of SSL and TLS.
+
+Different JDK versions support different versions of SSL, and this may affect how {es} operates.
+
+[NOTE]
+====
+This support applies when running on the default JSSE provider in the JDK.
+JVMs that are configured to use a <<fips-140-compliance, FIPS 140-2>> security
+provider might have a custom TLS implementation, which might support TLS
+protocol versions that differ from this list.
+
+Check your security provider's release notes for information on TLS support.
+====
+
+`SSLv3`::
+SSL v3 is supported on all {es} <<jvm-version,compatible JDKs>> but is disabled by default.
+See <<jdk-enable-tls-protocol>>.
+
+`TLSv1`::
+TLS v1.0 is supported on all {es} <<jvm-version,compatible JDKs>>.
+Some newer JDKs, including the JDK bundled with {es}, disable TLS v1.0 by default.
+See <<jdk-enable-tls-protocol>>.
+
+`TLSv1.1`::
+TLS v1.1 is supported on all {es} <<jvm-version,compatible JDKs>>.
+Some newer JDKs, including the JDK bundled with {es}, disable TLS v1.1 by default.
+See <<jdk-enable-tls-protocol>>.
+
+`TLSv1.2`::
+TLS v1.2 is supported on all {es} <<jvm-version,compatible JDKs>>.
+It is enabled by default on all JDKs that are supported by {es}, including the bundled JDK.
+
+`TLSv1.3`::
+TLS v1.3 is supported on JDK11 and later, and JDK8 builds newer than 8u261
+(including the most recent release of each JDK8 distribution that {es} supports).
+TLS v1.3 is supported and enabled by default on the JDK that is bundled with {es}.
++
+NOTE: Although {es} supports running on older JDK8 builds without TLS v1.3,
+we recommend upgrading to a JDK version that includes TLS v1.3 for better
+support and updates.
+
+[[jdk-enable-tls-protocol]]
+==== Enabling additional SSL/TLS versions on your JDK
+
+The set of supported SSL/TLS versions for a JDK is controlled by a java security
+properties file that is installed as part of your JDK.
+
+This configuration file lists the SSL/TLS algorithms that are disabled in that JDK.
+Complete these steps to remove a TLS version from that list and use it in your JDK.
+
+1. Locate the configuration file for your JDK.
+2. Copy the `jdk.tls.disabledAlgorithms` setting from that file, and add it to a custom
+   configuration file within the {es} configuration directory.
+3. In the custom configuration file, remove the value for the TLS version you want
+to use from `jdk.tls.disabledAlgorithms`.
+4. Configure {es} to pass a custom system property to the JDK so that your custom
+   configuration file is used.
+
+===== Locate the configuration file for your JDK
+
+For the {es} **bundled JDK**, the configuration file is in a sub directory of
+the {es} home directory (`$ES_HOME`):
+
+* Linux: `$ES_HOME/jdk/conf/security/java.security`
+* Windows: `$ES_HOME/jdk/conf/security/java.security`
+* macOS:`$ES_HOME/jdk.app/Contents/Home/conf/security/java.security`
+
+For **JDK8**, the configuration file is within the `jre/lib/security` directory
+of the Java installation.
+If `$JAVA_HOME` points to the home directory of the JDK that you use to run {es},
+then the configuration file will be in:
+
+* `$JAVA_HOME/jre/lib/security/java.security`
+
+For **JDK11 or later**, the configuration file is within the `conf/security`
+directory of the Java installation.
+If `$JAVA_HOME` points to the home directory of the JDK that you use to run
+{es}, then the configuration file will be in:
+
+* `$JAVA_HOME/conf/security/java.security`
+
+===== Copy the disabledAlgorithms setting
+
+Within the JDK configuration file is a line that starts with
+`jdk.tls.disabledAlgorithms=`.
+This setting controls which protocols and algorithms are _disabled_ in your JDK.
+The value of that setting will typically span multiple lines.
+
+For example, in OpenJDK 16 the setting is:
+[source,text]
+--------------------------------------------------
+jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, DES, MD5withRSA, \
+    DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL
+--------------------------------------------------
+
+Create a new file in your in your {es} configuration directory named `es.java.security`.
+Copy the `jdk.tls.disabledAlgorithms` setting from the JDK's default configuration file into `es.java.security`.
+You do not need to copy any other settings.
+
+===== Enable required TLS versions
+
+Edit the `es.java.security` file in your {es} configuration directory, and
+modify the `jdk.tls.disabledAlgorithms` setting so that any SSL or TLS versions
+that you wish to use are no longer listed.
+
+For example, to enable TLSv1.1 on OpenJDK 16 (which uses the
+`jdk.tls.disabledAlgorithms` settings shown previously), the
+`es.java.security` file would contain the previously disabled TLS algorithms
+_except_ `TLSv1.1`:
+
+[source,text]
+--------------------------------------------------
+jdk.tls.disabledAlgorithms=SSLv3, TLSv1, RC4, DES, MD5withRSA, \
+    DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL
+--------------------------------------------------
+
+===== Enable your custom security configuration
+
+To enable your custom security policy, add a file in the <<set-jvm-options, `jvm.options.d`>>
+directory within your {es} configuration directory.
+
+To enable your custom security policy, create a file named
+`java.security.options` within the <<set-jvm-options, jvm.options.d>>
+directory of your {es} configuration directory, with this content:
+
+[source,text]
+----
+-Djava.security.properties=/path/to/your/es.java.security
+----
+
+==== Enabling TLS versions in {es}
+
+SSL/TLS versions can be enabled and disabled within {es} via the
+<<ssl-tls-settings,`ssl.supported_protocols` settings>>.
+
+{es} will only support the TLS versions that are enabled by the
+<<jdk-tls-versions,underlying JDK>>. If you configure
+`ssl.supported_procotols` to include a TLS version that is not enabled in your
+JDK, then it will be silently ignored.
+
+Similarly, a TLS version that is enabled in your JDK, will not be used unless
+it is configured as one of the `ssl.supported_protocols` in {es}.