Removing the server.ssl.clientAuthentication setting (#10263)

Backports PR #10253 **Commit 1:** Removing the server.ssl.clientAuthentication setting * Original sha: 0b42c7d * Authored by kobelb <brandon.kobel@elastic.co> on 2017-02-08T21:41:21Z
elastic · Feb 10, 2017 · e928a3d · e928a3d
1 parent 1e30ab8
commit e928a3d
Show file tree

Hide file tree

Showing 4 changed files with 0 additions and 57 deletions.
diff --git a/docs/setup/settings.asciidoc b/docs/setup/settings.asciidoc
@@ -37,8 +37,6 @@ startup. Your Kibana users still need to authenticate with Elasticsearch, which
 `server.ssl.certificate:` and `server.ssl.key:`:: Paths to the PEM-format SSL certificate and SSL key files, respectively.
 `server.ssl.keyPassphrase`:: The passphrase that will be used to decrypt the private key. This value is optional as the key may not be encrypted.
 `server.ssl.certificateAuthorities`:: List of paths to PEM encoded certificate files that should be trusted.
-`server.ssl.clientAuthentication`:: *Default: none* Controls Kibana's server behavior in regard to requesting a certificate from client connections. Valid values are `required`,
- and `none`. `required` forces a client to present a certificate, while `none` does not.
 `server.ssl.supportedProtocols`:: *Default: TLSv1, TLSv1.1, TLSv1.2*  Supported protocols with versions. Valid protocols: `TLSv1`, `TLSv1.1`, `TLSv1.2`
 `server.ssl.cipherSuites`:: *Default: ECDHE-RSA-AES128-GCM-SHA256, ECDHE-ECDSA-AES128-GCM-SHA256, ECDHE-RSA-AES256-GCM-SHA384, ECDHE-ECDSA-AES256-GCM-SHA384, DHE-RSA-AES128-GCM-SHA256, ECDHE-RSA-AES128-SHA256, DHE-RSA-AES128-SHA256, ECDHE-RSA-AES256-SHA384, DHE-RSA-AES256-SHA384, ECDHE-RSA-AES256-SHA256, DHE-RSA-AES256-SHA256, HIGH,!aNULL, !eNULL, !EXPORT, !DES, !RC4, !MD5, !PSK, !SRP, !CAMELLIA*. Details on the format, and the valid options, are available via the [OpenSSL cipher list format documentation](https://www.openssl.org/docs/man1.0.2/apps/ciphers.html#CIPHER-LIST-FORMAT)
 `elasticsearch.ssl.cert:` and `elasticsearch.ssl.key:`:: Optional settings that provide the paths to the PEM-format SSL

diff --git a/src/server/config/__tests__/schema.js b/src/server/config/__tests__/schema.js
@@ -119,39 +119,6 @@ describe('Config schema', function () {
         });
       });
 
-      describe('clientAuthentication', function () {
-        it ('defaults to \'none\'', function () {
-          const config = {};
-          const { error, value } = validate({});
-          expect(error).to.be(null);
-          expect(value).to.be.an(Object);
-          expect(value.server).to.be.an(Object);
-          expect(value.server.ssl).to.be.an(Object);
-          expect(value.server.ssl.clientAuthentication).to.be('none');
-        });
-
-        ['none', 'required'].forEach((option) => {
-          it(`allows ${option}`, function () {
-            const config = {};
-            set(config, 'server.ssl.clientAuthentication', option);
-            const { error } = validate(config);
-            expect(error).to.be(null);
-          });
-        });
-
-        ['bogus', 'somethingelse'].forEach((option) => {
-          it(`rejects ${option}`, function () {
-            const config = {};
-            set(config, 'server.ssl.clientAuthentication', option);
-            const { error } = validate(config);
-            expect(error).to.be.an(Object);
-            expect(error).to.have.property('details');
-            expect(error.details[0]).to.have.property('path', 'server.ssl.clientAuthentication');
-          });
-        });
-
-      });
-
       describe('certificateAuthorities', function () {
         it('allows array of string', function () {
           const config = {};

diff --git a/src/server/config/schema.js b/src/server/config/schema.js
@@ -52,7 +52,6 @@ module.exports = () => Joi.object({
       }),
       keyPassphrase: Joi.string(),
       certificateAuthorities: Joi.array().single().items(Joi.string()),
-      clientAuthentication: Joi.string().valid('none', 'required').default('none'),
       supportedProtocols: Joi.array().items(Joi.string().valid('TLSv1', 'TLSv1.1', 'TLSv1.2')),
       cipherSuites: Joi.array().items(Joi.string()).default(cryptoConstants.defaultCoreCipherList.split(':'))
     }).default(),

diff --git a/src/server/http/setup_connection.js b/src/server/http/setup_connection.js
@@ -4,23 +4,6 @@ import httpolyglot from '@elastic/httpolyglot';
 import { map } from 'lodash';
 import secureOptions from './secure_options';
 
-const getClientAuthenticationHttpOptions = (clientAuthentication) => {
-  switch (clientAuthentication) {
-    case 'none':
-      return {
-        requestCert: false,
-        rejectUnauthorized: false
-      };
-    case 'required':
-      return {
-        requestCert: true,
-        rejectUnauthorized: true
-      };
-    default:
-      throw new Error(`Unknown clientAuthentication option: ${clientAuthentication}`);
-  }
-};
-
 export default function (kbnServer, server, config) {
   // this mixin is used outside of the kbn server, so it MUST work without a full kbnServer object.
   kbnServer = null;
@@ -50,8 +33,6 @@ export default function (kbnServer, server, config) {
     return;
   }
 
-  const { requestCert, rejectUnauthorized } = getClientAuthenticationHttpOptions(config.get('server.ssl.clientAuthentication'));
-
   server.connection({
     ...connectionOptions,
     tls: true,
@@ -64,8 +45,6 @@ export default function (kbnServer, server, config) {
       ciphers: config.get('server.ssl.cipherSuites').join(':'),
       // We use the server's cipher order rather than the client's to prevent the BEAST attack
       honorCipherOrder: true,
-      requestCert,
-      rejectUnauthorized,
       secureOptions: secureOptions(config.get('server.ssl.supportedProtocols'))
     })
   });