fix some verify_mode edge cases

Author: jsvd

lib/logstash/inputs/http.rb

@@ -191,10 +191,14 @@ def validate_ssl_settings!
       raise LogStash::ConfigurationError, "Certificate or JKS must be configured"
     end
 
-    if @ssl && original_params.key?("verify_mode")
-      if original_params.key?("ssl_verify_mode")
+    if @ssl && (original_params.key?("verify_mode") && original_params.key?("ssl_verify_mode"))
         raise LogStash::ConfigurationError, "Both 'ssl_verify_mode' and 'verify_mode' were set. Use only 'ssl_verify_mode'."
-      end
+    elsif original_params.key?("verify_mode")
+      @ssl_verify_mode_final = @verify_mode
+    elsif original_params.key?("ssl_verify_mode")
+      @ssl_verify_mode_final = @ssl_verify_mode
+    else
+      @ssl_verify_mode_final = @ssl_verify_mode
     end
 
     if @ssl && require_certificate_authorities? && !client_authentication?
@@ -213,11 +217,9 @@ def build_ssl_params
     return nil unless @ssl
 
     ssl_builder = nil
-    verify_mode_string = nil
 
     if @keystore && @keystore_password
       ssl_builder = org.logstash.plugins.inputs.http.util.JksSslBuilder.new(@keystore, @keystore_password.value)
-      verify_mode_string = @verify_mode.upcase if original_params.key?("verify_mode")
     else
       begin
         ssl_builder = org.logstash.plugins.inputs.http.util.SslSimpleBuilder.new(@ssl_certificate, @ssl_key, @ssl_key_passphrase.nil? ? nil : @ssl_key_passphrase.value)
@@ -227,14 +229,13 @@ def build_ssl_params
       end
 
       if client_authentication?
-        verify_mode_string = @ssl_verify_mode.upcase
         ssl_builder.setCertificateAuthorities(@ssl_certificate_authorities)
       end
     end
 
     ssl_context = ssl_builder.build()
     ssl_handler_provider = org.logstash.plugins.inputs.http.util.SslHandlerProvider.new(ssl_context)
-    ssl_handler_provider.setVerifyMode(verify_mode_string)
+    ssl_handler_provider.setVerifyMode(@ssl_verify_mode_final.upcase)
     ssl_handler_provider.setProtocols(convert_protocols)
     ssl_handler_provider.setHandshakeTimeoutMilliseconds(@ssl_handshake_timeout)
 
@@ -254,7 +255,7 @@ def client_authentication?
   end
 
   def require_certificate_authorities?
-    @ssl_verify_mode == "force_peer" || @ssl_verify_mode == "peer"
+    @ssl_verify_mode_final == "force_peer" || @ssl_verify_mode_final == "peer"
   end
 
   def normalized_ciphers

spec/inputs/http_spec.rb

@@ -6,6 +6,8 @@
 require "zlib"
 require "stringio"
 
+java_import "io.netty.handler.ssl.util.SelfSignedCertificate"
+
 describe LogStash::Inputs::Http do
 
   before do
@@ -355,15 +357,65 @@
       end
     end
     context "with :ssl_certificate" do
-      let(:ssl_certificate) { Stud::Temporary.file }
-      let(:ssl_key) { Stud::Temporary.file }
+      let(:ssc) { SelfSignedCertificate.new }
+      let(:ssl_certificate) { ssc.certificate }
+      let(:ssl_key) { ssc.private_key }
+
+      after(:each) { ssc.delete }
+
       subject { LogStash::Inputs::Http.new("port" => port, "ssl" => true,
                                            "ssl_certificate" => ssl_certificate.path,
                                            "ssl_key" => ssl_key.path) }
       it "should not raise exception" do
-        expect(subject).to receive(:build_ssl_params)
         expect { subject.register }.to_not raise_exception
       end
+
+      context "with ssl_verify_mode = none" do
+        subject { LogStash::Inputs::Http.new("port" => port, "ssl" => true,
+                                             "ssl_certificate" => ssl_certificate.path,
+                                             "ssl_key" => ssl_key.path,
+                                             "ssl_verify_mode" => "none"
+                                            ) }
+        it "should not raise exception" do
+          expect { subject.register }.to_not raise_exception
+        end
+      end
+      ["peer", "force_peer"].each do |verify_mode|
+        context "with ssl_verify_mode = #{verify_mode}" do
+          subject { LogStash::Inputs::Http.new("port" => port, "ssl" => true,
+                                               "ssl_certificate" => ssl_certificate.path,
+                                               "ssl_certificate_authorities" => ssl_certificate.path,
+                                               "ssl_key" => ssl_key.path,
+                                               "ssl_verify_mode" => verify_mode
+                                              ) }
+          it "should not raise exception" do
+            expect { subject.register }.to_not raise_exception
+          end
+        end
+      end
+      context "with verify_mode = none" do
+        subject { LogStash::Inputs::Http.new("port" => port, "ssl" => true,
+                                             "ssl_certificate" => ssl_certificate.path,
+                                             "ssl_key" => ssl_key.path,
+                                             "verify_mode" => "none"
+                                            ) }
+        it "should not raise exception" do
+          expect { subject.register }.to_not raise_exception
+        end
+      end
+      ["peer", "force_peer"].each do |verify_mode|
+        context "with verify_mode = #{verify_mode}" do
+          subject { LogStash::Inputs::Http.new("port" => port, "ssl" => true,
+                                               "ssl_certificate" => ssl_certificate.path,
+                                               "ssl_certificate_authorities" => ssl_certificate.path,
+                                               "ssl_key" => ssl_key.path,
+                                               "verify_mode" => verify_mode
+                                              ) }
+          it "should not raise exception" do
+            expect { subject.register }.to_not raise_exception
+          end
+        end
+      end
     end
   end
 end

src/main/java/org/logstash/plugins/inputs/http/util/SslHandlerProvider.java

@@ -13,12 +13,13 @@ public class SslHandlerProvider {
 
     private final static Logger logger = LogManager.getLogger(SslSimpleBuilder.class);
     private final SslContext sslContext;
-    private SslClientVerifyMode verifyMode = SslClientVerifyMode.FORCE_PEER;
+    private SslClientVerifyMode verifyMode = SslClientVerifyMode.NONE;
     private long handshakeTimeoutMilliseconds = 10000;
 
     enum SslClientVerifyMode {
         VERIFY_PEER,
         FORCE_PEER,
+        NONE
     }
 
     private String[] protocols = new String[] { "TLSv1.2" };