Verify SSL certificates for Elasticsearch connections by default

Making developers opt out of extra security is better than making them opt in, especially when they may not be aware of the security they are missing out on.
2016-03-24 11:34:31 +11:00 · 2016-03-24 11:34:31 +11:00 · edc236cb06
commit edc236cb06
--- a/docs/releases/1.5.rst
+++ b/docs/releases/1.5.rst
@ -57,3 +57,37 @@ Should be changed to:
        ]

 To ease the burden on third-party modules, adding tuples to ``Page.search_fields`` will still work. But this backwards-compatibility fix will be removed in Wagtail 1.7.
+
+Elasticsearch backend now defaults to verifying SSL certs
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Previously, if you used the Elasticsearch backend, configured with the URLS property like:
+
+
+.. code-block:: python
+
+    WAGTAILSEARCH_BACKENDS = {
+        'default': {
+            'BACKEND': 'wagtail.wagtailsearch.backends.elasticsearch',
+            'URLS': ['https://example.com/'],
+        }
+    }
+
+Elasticsearch would not be configured to verify SSL certificates for HTTPS URLs. This has been changed so that SSL certificates are verified for HTTPS connections by default.
+
+If you need the old behaviour back, where SSL certificates are not verified for your HTTPS connection, you can configure the Elasticsearch backend with the ``HOSTS`` option, like so:
+
+.. code-block:: python
+
+    WAGTAILSEARCH_BACKENDS = {
+        'default': {
+            'BACKEND': 'wagtail.wagtailsearch.backends.elasticsearch',
+            'HOSTS': [{
+                'host': 'example.com'
+                'use_ssl': True,
+                'verify_certs': False,
+            }],
+        }
+    }
+
+See the `Elasticsearch-py documentation <http://elasticsearch-py.readthedocs.org/en/stable/#ssl-and-authentication>`_ for more configuration options.
--- a/wagtail/wagtailsearch/backends/elasticsearch.py
+++ b/wagtail/wagtailsearch/backends/elasticsearch.py
@ -686,6 +686,7 @@ class ElasticSearch(BaseSearch):
                    'port': port,
                    'url_prefix': parsed_url.path,
                    'use_ssl': use_ssl,
+                    'verify_certs': use_ssl,
                    'http_auth': http_auth,
                })

--- a/wagtail/wagtailsearch/tests/test_elasticsearch_backend.py
+++ b/wagtail/wagtailsearch/tests/test_elasticsearch_backend.py
@ -911,6 +911,7 @@ class TestBackendConfiguration(TestCase):
                    'host': '127.0.0.1',
                    'port': 9300,
                    'use_ssl': True,
+                    'verify_certs': True,
                }
            ]
        })