From edc236cb06413bb645f2a480ae7eb19b2c2aa75a Mon Sep 17 00:00:00 2001
From: Tim Heap <tim@timheap.me>
Date: Thu, 24 Mar 2016 11:34:31 +1100
Subject: [PATCH] Verify SSL certificates for Elasticsearch connections by
 default

Making developers opt out of extra security is better than making them
opt in, especially when they may not be aware of the security they are
missing out on.
---
 docs/releases/1.5.rst                         | 34 +++++++++++++++++++
 .../wagtailsearch/backends/elasticsearch.py   |  1 +
 .../tests/test_elasticsearch_backend.py       |  1 +
 3 files changed, 36 insertions(+)

diff --git a/docs/releases/1.5.rst b/docs/releases/1.5.rst
index 8318d006b3..ad992b6b27 100644
--- a/docs/releases/1.5.rst
+++ b/docs/releases/1.5.rst
@@ -57,3 +57,37 @@ Should be changed to:
         ]
 
 To ease the burden on third-party modules, adding tuples to ``Page.search_fields`` will still work. But this backwards-compatibility fix will be removed in Wagtail 1.7.
+
+Elasticsearch backend now defaults to verifying SSL certs
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Previously, if you used the Elasticsearch backend, configured with the URLS property like:
+
+
+.. code-block:: python
+
+    WAGTAILSEARCH_BACKENDS = {
+        'default': {
+            'BACKEND': 'wagtail.wagtailsearch.backends.elasticsearch',
+            'URLS': ['https://example.com/'],
+        }
+    }
+
+Elasticsearch would not be configured to verify SSL certificates for HTTPS URLs. This has been changed so that SSL certificates are verified for HTTPS connections by default.
+
+If you need the old behaviour back, where SSL certificates are not verified for your HTTPS connection, you can configure the Elasticsearch backend with the ``HOSTS`` option, like so:
+
+.. code-block:: python
+
+    WAGTAILSEARCH_BACKENDS = {
+        'default': {
+            'BACKEND': 'wagtail.wagtailsearch.backends.elasticsearch',
+            'HOSTS': [{
+                'host': 'example.com'
+                'use_ssl': True,
+                'verify_certs': False,
+            }],
+        }
+    }
+
+See the `Elasticsearch-py documentation <http://elasticsearch-py.readthedocs.org/en/stable/#ssl-and-authentication>`_ for more configuration options.
diff --git a/wagtail/wagtailsearch/backends/elasticsearch.py b/wagtail/wagtailsearch/backends/elasticsearch.py
index 148299edeb..fe90b9d389 100644
--- a/wagtail/wagtailsearch/backends/elasticsearch.py
+++ b/wagtail/wagtailsearch/backends/elasticsearch.py
@@ -686,6 +686,7 @@ class ElasticSearch(BaseSearch):
                     'port': port,
                     'url_prefix': parsed_url.path,
                     'use_ssl': use_ssl,
+                    'verify_certs': use_ssl,
                     'http_auth': http_auth,
                 })
 
diff --git a/wagtail/wagtailsearch/tests/test_elasticsearch_backend.py b/wagtail/wagtailsearch/tests/test_elasticsearch_backend.py
index f2797046ec..027ae8843b 100644
--- a/wagtail/wagtailsearch/tests/test_elasticsearch_backend.py
+++ b/wagtail/wagtailsearch/tests/test_elasticsearch_backend.py
@@ -911,6 +911,7 @@ class TestBackendConfiguration(TestCase):
                     'host': '127.0.0.1',
                     'port': 9300,
                     'use_ssl': True,
+                    'verify_certs': True,
                 }
             ]
         })