From 0d702c2fbcee55b37d2bb3f506502d9b151a5081 Mon Sep 17 00:00:00 2001
From: Alexander Reelsen <alexander@reelsen.net>
Date: Mon, 6 Oct 2014 09:11:53 +0200
Subject: [PATCH] HTTPS: Do not require client auth by default

Original commit: elastic/x-pack-elasticsearch@795d40a705378de611243aa2d02d1391719d6340
---
 .../transport/netty/NettySecuredHttpServerTransport.java      | 2 +-
 .../shield/transport/netty/NettySecuredTransport.java         | 4 ++--
 .../org/elasticsearch/shield/transport/ssl/SSLConfig.java     | 4 ++--
 .../org/elasticsearch/shield/test/ShieldIntegrationTest.java  | 1 -
 .../elasticsearch/shield/transport/ssl/SSLConfigTests.java    | 4 ++--
 5 files changed, 7 insertions(+), 8 deletions(-)

diff --git a/src/main/java/org/elasticsearch/shield/transport/netty/NettySecuredHttpServerTransport.java b/src/main/java/org/elasticsearch/shield/transport/netty/NettySecuredHttpServerTransport.java
index 13527b5e683..0460ac3f5a2 100644
--- a/src/main/java/org/elasticsearch/shield/transport/netty/NettySecuredHttpServerTransport.java
+++ b/src/main/java/org/elasticsearch/shield/transport/netty/NettySecuredHttpServerTransport.java
@@ -46,7 +46,7 @@ public class NettySecuredHttpServerTransport extends NettyHttpServerTransport {
         public HttpSslChannelPipelineFactory(NettyHttpServerTransport transport) {
             super(transport);
             if (ssl) {
-                sslConfig = new SSLConfig(settings.getByPrefix("shield.http.ssl."), settings.getByPrefix("shield.ssl."));
+                sslConfig = new SSLConfig(settings.getByPrefix("shield.http.ssl."), settings.getByPrefix("shield.ssl."), false);
                 // try to create an SSL engine, so that exceptions lead to early exit
                 sslConfig.createSSLEngine();
             } else {
diff --git a/src/main/java/org/elasticsearch/shield/transport/netty/NettySecuredTransport.java b/src/main/java/org/elasticsearch/shield/transport/netty/NettySecuredTransport.java
index fdd6d936735..6d0ea351a7a 100644
--- a/src/main/java/org/elasticsearch/shield/transport/netty/NettySecuredTransport.java
+++ b/src/main/java/org/elasticsearch/shield/transport/netty/NettySecuredTransport.java
@@ -53,7 +53,7 @@ public class NettySecuredTransport extends NettyTransport {
         public SslServerChannelPipelineFactory(NettyTransport nettyTransport) {
             super(nettyTransport);
             if (ssl) {
-                sslConfig = new SSLConfig(settings.getByPrefix("shield.transport.ssl."), settings.getByPrefix("shield.ssl."));
+                sslConfig = new SSLConfig(settings.getByPrefix("shield.transport.ssl."), settings.getByPrefix("shield.ssl."), true);
                 // try to create an SSL engine, so that exceptions lead to early exit
                 sslConfig.createSSLEngine();
             } else {
@@ -85,7 +85,7 @@ public class NettySecuredTransport extends NettyTransport {
         public SslClientChannelPipelineFactory(NettyTransport transport) {
             super(transport);
             if (ssl) {
-                sslConfig = new SSLConfig(settings.getByPrefix("shield.transport.ssl."), settings.getByPrefix("shield.ssl."));
+                sslConfig = new SSLConfig(settings.getByPrefix("shield.transport.ssl."), settings.getByPrefix("shield.ssl."), true);
                 // try to create an SSL engine, so that exceptions lead to early exit
                 sslConfig.createSSLEngine();
             } else {
diff --git a/src/main/java/org/elasticsearch/shield/transport/ssl/SSLConfig.java b/src/main/java/org/elasticsearch/shield/transport/ssl/SSLConfig.java
index fd98e05c0d8..4ebdd8474f1 100644
--- a/src/main/java/org/elasticsearch/shield/transport/ssl/SSLConfig.java
+++ b/src/main/java/org/elasticsearch/shield/transport/ssl/SSLConfig.java
@@ -28,10 +28,10 @@ public class SSLConfig {
     private SSLContext sslContext;
     private String[] ciphers;
 
-    public SSLConfig(Settings componentSettings, Settings defaultSettings) {
+    public SSLConfig(Settings componentSettings, Settings defaultSettings, boolean defaultRequireClientAuth) {
         SSLTrustConfig sslTrustConfig = new SSLTrustConfig(componentSettings, defaultSettings);
 
-        this.clientAuth = componentSettings.getAsBoolean("require.client.auth", defaultSettings.getAsBoolean("require.client.auth", true));
+        this.clientAuth = componentSettings.getAsBoolean("require.client.auth", defaultSettings.getAsBoolean("require.client.auth", defaultRequireClientAuth));
         String keyStore = componentSettings.get("keystore", defaultSettings.get("keystore", System.getProperty("javax.net.ssl.keyStore")));
         String keyStorePassword = componentSettings.get("keystore_password", defaultSettings.get("keystore_password", System.getProperty("javax.net.ssl.keyStorePassword")));
         String keyStoreAlgorithm = componentSettings.get("keystore_algorithm", defaultSettings.get("keystore_algorithm", System.getProperty("ssl.KeyManagerFactory.algorithm")));
diff --git a/src/test/java/org/elasticsearch/shield/test/ShieldIntegrationTest.java b/src/test/java/org/elasticsearch/shield/test/ShieldIntegrationTest.java
index a15cfb2759c..4f4abd9293a 100644
--- a/src/test/java/org/elasticsearch/shield/test/ShieldIntegrationTest.java
+++ b/src/test/java/org/elasticsearch/shield/test/ShieldIntegrationTest.java
@@ -140,7 +140,6 @@ public abstract class ShieldIntegrationTest extends ElasticsearchIntegrationTest
                 .put("shield.transport.ssl.truststore", store.getPath())
                 .put("shield.transport.ssl.truststore_password", password)
                 .put("shield.http.ssl", true)
-                .put("shield.http.ssl.require.client.auth", false)
                 .put("shield.http.ssl.keystore", store.getPath())
                 .put("shield.http.ssl.keystore_password", password)
                 .put("shield.http.ssl.truststore", store.getPath())
diff --git a/src/test/java/org/elasticsearch/shield/transport/ssl/SSLConfigTests.java b/src/test/java/org/elasticsearch/shield/transport/ssl/SSLConfigTests.java
index 235150a2b5e..c710cdb7481 100644
--- a/src/test/java/org/elasticsearch/shield/transport/ssl/SSLConfigTests.java
+++ b/src/test/java/org/elasticsearch/shield/transport/ssl/SSLConfigTests.java
@@ -38,7 +38,7 @@ public class SSLConfigTests extends ElasticsearchTestCase {
                             .put("keystore_password", "testnode")
                             .put("truststore", testnodeStore.getPath())
                             .put("truststore_password", "testnode")
-                        .build());
+                        .build(), false);
         } catch (ElasticsearchSSLException e) {
             assertThat(e.getRootCause(), instanceOf(NoSuchAlgorithmException.class));
         }
@@ -59,7 +59,7 @@ public class SSLConfigTests extends ElasticsearchTestCase {
                 .put("shield.ssl.truststore_password", "testnode")
                 .build();
 
-        SSLConfig sslConfig = new SSLConfig(concreteSettings, genericSettings.getByPrefix("shield.ssl."));
+        SSLConfig sslConfig = new SSLConfig(concreteSettings, genericSettings.getByPrefix("shield.ssl."), false);
         SSLEngine sslEngine = sslConfig.createSSLEngine();
         assertThat(sslEngine.getEnabledCipherSuites().length, is(1));
     }