add verify_mode option to verify client certs

[joemiller]

Adds verify_mode option that can be used to authenticate client TLs
certificates.

Options: peer, force_peer, none.

• peer: Configures https server to request client certificate, but not
  require it.
• force_peer: Require client certificate to be trusted by one of the CA's in
  the keystore.

[elasticsearch-release]

Jenkins standing by to test this. If you aren't a maintainer, you can ignore this comment. Someone with commit access, please review this and clear it for Jenkins to run; then say 'jenkins, test it'.

[ph]

Hello @joemiller Would you mind rebasing this PR?

I think this will also fixe this issue #46 that might be related to the JRUBY changes that got merged in 2.16 ?:)

[ph]

nevermind since this is a blocker I will rebase it and test it.

[joemiller]

I had it on my list to do this weekend or next week since puma accepted the
patch to support certification verification when run in jruby yesterday -
puma/puma#833 - but if you would like to do it
first, that would be awesome!!!

On Fri, Feb 26, 2016 at 11:35 AM Pier-Hugues Pellerin <
notifications@github.com> wrote:

nevermind since this is a blocker I will rebase it and test it.

—
Reply to this email directly or view it on GitHub
#37 (comment)
.

[joemiller]

rebased against master, passed unit tests. Note I bumped puma to 3.x which should include the patch to honor the verify_mode flags.

[ph]

@joemiller 2.16 should include the patch too, we are about to ship a web api with the next version of logstash I would prefer if we stick with 2.X. until 3.0 is released for some time ;)

https://github.com/puma/puma/blob/v2.16.0/History.txt#L11

[joemiller]

I agree. I did not see that 2.16.0 would also have the patch =) I will
adjust the PR.

On Mon, Feb 29, 2016 at 6:54 AM Pier-Hugues Pellerin <
notifications@github.com> wrote:

@joemiller https://github.com/joemiller 2.16 should include the patch
too, we are about to ship a web api with the next version of logstash I
would prefer if we stick with 2.X. until 3.0 is released for some time ;)

https://github.com/puma/puma/blob/v2.16.0/History.txt#L11

—
Reply to this email directly or view it on GitHub
#37 (comment)
.

[joemiller]

@ph adjusted puma dep to 2.16

[jsvd]

thankfully the config dsl in logstash allows us to specify a short list of possible values, so we can validate the method setting here instead of checking else in line 109/110. what do you think?

suggestion:
config :verify_mode, :validate => ['none', 'peer', 'force_peer'], :default => 'none'

[ph]

oops I missed that.

[joemiller]

Sure, I can make this change.

[ph]

@jsvd I tested it manually and it fixed the issues people were encountering in #46

I have also created this #47
So we can have more integration tests concerning SSL scenarios.

[elasticsearch-bot]

João Duarte merged this into the following branches!

Branch	Commits
master	b7506fe