The default settings currently seem to allow weak TLS ciphers & protocols. These can be changed in the settings (using enabled_ciphers and enabled_protocols) to harden them, but we should consider changing the default in the upcoming 3.0 release (as it’d be a breaking change)?
Considering following the configuration from Mozilla (note: “intermediate” is required for java 8 compatibility, need to check if we're dropping that with OpenSearch 3.0):