Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SSL Context ignores certificate verify_mode #2167

Open
b-deam opened this issue Feb 27, 2023 · 3 comments
Open

SSL Context ignores certificate verify_mode #2167

b-deam opened this issue Feb 27, 2023 · 3 comments
Labels
Category: Bug

Comments

@b-deam
Copy link
Member

b-deam commented Feb 27, 2023

Elasticsearch version (bin/elasticsearch --version): 8.x

elasticsearch-py version (elasticsearch.__versionstr__): 8.6.1

Please make sure the major version matches the Elasticsearch server you are running.

Description of the problem including expected versus actual behavior:

According to https://www.elastic.co/guide/en/elasticsearch/client/python-api/current/config.html#_using_an_sslcontext
we should be able to omit the verify_certs parameter in the client constructor if we correctly setup an ssl context object.

Steps to reproduce:

  1. Start a local Elasticsearch cluster with SSL enabled and a self-signed certificate
  2. Execute this reproduction script
  from elasticsearch import Elasticsearch
  import ssl
  import certifi
  
  ssl_context = ssl.create_default_context(ssl.Purpose.SERVER_AUTH, cafile=certifi.where())
  ssl_context.check_hostname = False
  ssl_context.verify_mode = ssl.CERT_NONE
  
  # works, setting verify_certs means we don't verify the certificate 
  es = Elasticsearch(
    hosts=["https://localhost:9200"],
    ssl_context=ssl_context,
    verify_certs=False,
    basic_auth=("elastic", "changeme"),
  )
  print(es.info())
  
  # fails, even though the SSL context object's verify_mode is set to NONE it still attempts to verify the certificate 
  es = Elasticsearch(
    hosts=["https://localhost:9200"],
    ssl_context=ssl_context,
    basic_auth=("elastic", "changeme"),
  )
  print(es.info())
@b-deam b-deam mentioned this issue Feb 27, 2023
Merged
19 tasks
@4lissonsilveira
Copy link

4lissonsilveira commented Oct 29, 2023
edited
Loading

Hi @b-deam what could be a potential fix? Perhaps defaulting verify_certs to False if ssl_context is specified by the user and verify_certs is not?

e.g.: adding the below block of code to

elasticsearch-py/elasticsearch/_sync/client/utils.py

Line 112 in 650ad2a 

# if there is a ssl context, verify_certy should default to False
if (
    node_options.get("ssl_context") and
    node_options.get("verify_certs") is None
):
    node_options["verify_certs"] = False

many thanks!

@pquentin
Copy link
Member

@4lissonsilveira Hello! Setting verify_certs to False would break cases where we specify an SSLContext and actually want to verify the certificates.

Anyway, the logic should live in elastic-transport-python (this is where the default value of verify_certs is set to True). It is actually enough to change https://github.com/elastic/elastic-transport-python/blob/65424ca058388b9757c7b64e83fbb129c4833fb5/elastic_transport/_node/_http_urllib3.py#L99 to if ssl_context.verify_mode != ssl.CERT_NONE: and do the same for the requests and aiohttp backends.

Is this something you would like to work on?

@4lissonsilveira
Copy link

Hi @pquentin thanks a lot for the info, yeah, I'd like to work on it. I'll take a look at the transport lib.

@pquentin pquentin changed the title SSL Context might ignore certificate verify_mode SSL Context ignores certificate verify_mode Oct 31, 2023
@pquentin pquentin mentioned this issue Jan 19, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Category: Bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@pquentin @4lissonsilveira @b-deam