clarify comments and add assert client auth type

Original commit: elastic/x-pack-elasticsearch@0e3d134bc6
2025-03-03 17:39:15 +00:00 · 2016-08-03 10:39:37 -04:00 · 2016-08-03 10:39:37 -04:00 · b3f8495a03
commit b3f8495a03
parent 94e7d82a20
2 changed files with 8 additions and 2 deletions
--- a/elasticsearch/x-pack/security/src/main/java/org/elasticsearch/xpack/security/rest/SecurityRestFilter.java
+++ b/elasticsearch/x-pack/security/src/main/java/org/elasticsearch/xpack/security/rest/SecurityRestFilter.java
@ -101,7 +101,10 @@ public class SecurityRestFilter extends RestFilter {
                threadContext.putTransient(PkiRealm.PKI_CERT_HEADER_NAME, certs);
            }
        } catch (SSLPeerUnverifiedException e) {
-            // this happens when we only request client authentication and the client does not provide it
+            // this happens when client authentication is optional and the client does not provide credentials. If client
+            // authentication was required then this connection should be closed before ever getting into this class
+            assert sslEngine.getNeedClientAuth() == false;
+            assert sslEngine.getWantClientAuth();
            if (logger.isTraceEnabled()) {
                logger.trace("SSL Peer did not present a certificate on channel [{}]", e, channel);
            } else if (logger.isDebugEnabled()) {
--- a/elasticsearch/x-pack/security/src/main/java/org/elasticsearch/xpack/security/transport/ServerTransportFilter.java
+++ b/elasticsearch/x-pack/security/src/main/java/org/elasticsearch/xpack/security/transport/ServerTransportFilter.java
@ -109,7 +109,10 @@ public interface ServerTransportFilter {
                    threadContext.putTransient(PkiRealm.PKI_CERT_HEADER_NAME, certs);
                }
            } catch (SSLPeerUnverifiedException e) {
-                // this happens when we only request client authentication and the client does not provide it
+                // this happens when client authentication is optional and the client does not provide credentials. If client
+                // authentication was required then this connection should be closed before ever getting into this class
+                assert sslEngine.getNeedClientAuth() == false;
+                assert sslEngine.getWantClientAuth();
                if (logger.isTraceEnabled()) {
                    logger.trace("SSL Peer did not present a certificate on channel [{}]", e, channel);
                } else if (logger.isDebugEnabled()) {