ESExporter: Add option to disable hostname verification

This adds a setting to allow hostname verification to be disabled for https connections. Without this option Marvel will not work when the hostname in a certificate cannot be verified. Closes elastic#384
spalger · Feb 17, 2015 · 9acf9b4 · 9acf9b4
1 parent 6671dc2
commit 9acf9b4
Show file tree

Hide file tree

Showing 2 changed files with 34 additions and 2 deletions.
diff --git a/agent/src/main/java/org/elasticsearch/marvel/agent/exporter/ESExporter.java b/agent/src/main/java/org/elasticsearch/marvel/agent/exporter/ESExporter.java
@@ -83,6 +83,7 @@ public class ESExporter extends AbstractLifecycleComponent<ESExporter> implement
 
     /** https support * */
     final SSLSocketFactory sslSocketFactory;
+    volatile boolean hostnameVerification;
 
     final ClusterService clusterService;
     final ClusterName clusterName;
@@ -143,6 +144,7 @@ public ESExporter(Settings settings, ClusterService clusterService, ClusterName
         dynamicSettings.addDynamicSetting(SETTINGS_HOSTS + ".*");
         dynamicSettings.addDynamicSetting(SETTINGS_TIMEOUT);
         dynamicSettings.addDynamicSetting(SETTINGS_READ_TIMEOUT);
+        dynamicSettings.addDynamicSetting(SETTINGS_SSL_HOSTNAME_VERIFICATION);
         nodeSettingsService.addListener(this);
 
         if (!settings.getByPrefix(SETTINGS_SSL_PREFIX).getAsMap().isEmpty()) {
@@ -151,6 +153,7 @@ public ESExporter(Settings settings, ClusterService clusterService, ClusterName
             logger.trace("no ssl context configured");
             sslSocketFactory = null;
         }
+        hostnameVerification = settings.getAsBoolean(SETTINGS_SSL_HOSTNAME_VERIFICATION, true);
 
         logger.debug("initialized with targets: {}, index prefix [{}], index time format [{}]",
                 Utils.santizeUrlPwds(Strings.arrayToCommaDelimitedString(hosts)), indexPrefix, indexTimeFormat);
@@ -420,6 +423,9 @@ private HttpURLConnection openConnection(String host, String method, String path
             if (conn instanceof HttpsURLConnection && sslSocketFactory != null) {
                 HttpsURLConnection httpsConn = (HttpsURLConnection) conn;
                 httpsConn.setSSLSocketFactory(sslSocketFactory);
+                if (!hostnameVerification) {
+                    httpsConn.setHostnameVerifier(TrustAllHostnameVerifier.INSTANCE);
+                }
             }
 
             conn.setRequestMethod(method);
@@ -563,6 +569,12 @@ public void onRefreshSettings(Settings settings) {
             this.checkedAndUploadedIndexTemplate = false;
             this.boundToLocalNode = false;
         }
+
+        Boolean newHostnameVerification = settings.getAsBoolean(SETTINGS_SSL_HOSTNAME_VERIFICATION, null);
+        if (newHostnameVerification != null) {
+            logger.info("hostname verification set to [{}]", newHostnameVerification);
+            this.hostnameVerification = newHostnameVerification;
+        }
     }
 
     interface MultiXContentRenderer {
@@ -806,7 +818,7 @@ public void run() {
     public static final String SETTINGS_SSL_TRUSTSTORE = SETTINGS_SSL_PREFIX + "truststore.path";
     public static final String SETTINGS_SSL_TRUSTSTORE_PASSWORD = SETTINGS_SSL_PREFIX + "truststore.password";
     public static final String SETTINGS_SSL_TRUSTSTORE_ALGORITHM = SETTINGS_SSL_PREFIX + "truststore.algorithm";
-
+    public static final String SETTINGS_SSL_HOSTNAME_VERIFICATION = SETTINGS_SSL_PREFIX + "hostname_verification";
 
     /** SSL Initialization * */
     public SSLSocketFactory createSSLSocketFactory(Settings settings) {
@@ -861,5 +873,20 @@ public SSLSocketFactory createSSLSocketFactory(Settings settings) {
         }
         return sslContext.getSocketFactory();
     }
+
+    /**
+     * Trust all hostname verifier. This simply returns true to completely disable hostname verification
+     */
+    static class TrustAllHostnameVerifier implements HostnameVerifier {
+        static final HostnameVerifier INSTANCE = new TrustAllHostnameVerifier();
+
+        private TrustAllHostnameVerifier() {
+        }
+
+        @Override
+        public boolean verify(String s, SSLSession sslSession) {
+            return true;
+        }
+    }
 }
 
diff --git a/docs/configuration.asciidoc b/docs/configuration.asciidoc
@@ -75,6 +75,11 @@ the password to use when accessing the trust store.
 
 Trust store format (defaults to SunX509).
 
+`marvel.agent.exporter.es.ssl.hostname_verification`::
++
+added[1.3.1] - Set this to `false` to disable HTTPS hostname verification when exporting.
++
+This setting is update-able via the Cluster Update Settings API.
 
 [[marvel-indices]]
 === Marvel indices
@@ -175,4 +180,4 @@ Needed for basic authentication support. You may want tighten it to only allow t
 
 Please see the {ref}/modules-http.html[Elasticsearch documentation] for more information.
 
-NOTE: enabling CORS may result in unwarrented access to your cluster. Consider these settings carefully.
+NOTE: enabling CORS may result in unwarrented access to your cluster. Consider these settings carefully.