SSL Context ignores certificate `verify_mode`

[b-deam]

Elasticsearch version (bin/elasticsearch --version): 8.x

elasticsearch-py version (elasticsearch.__versionstr__): 8.6.1

Please make sure the major version matches the Elasticsearch server you are running.

Description of the problem including expected versus actual behavior:

According to https://www.elastic.co/guide/en/elasticsearch/client/python-api/current/config.html#_using_an_sslcontext
we should be able to omit the verify_certs parameter in the client constructor if we correctly setup an ssl context object.

Steps to reproduce:

1. Start a local Elasticsearch cluster with SSL enabled and a self-signed certificate
2. Execute this reproduction script

  from elasticsearch import Elasticsearch
  import ssl
  import certifi
  
  ssl_context = ssl.create_default_context(ssl.Purpose.SERVER_AUTH, cafile=certifi.where())
  ssl_context.check_hostname = False
  ssl_context.verify_mode = ssl.CERT_NONE
  
  # works, setting verify_certs means we don't verify the certificate 
  es = Elasticsearch(
    hosts=["https://localhost:9200"],
    ssl_context=ssl_context,
    verify_certs=False,
    basic_auth=("elastic", "changeme"),
  )
  print(es.info())
  
  # fails, even though the SSL context object's verify_mode is set to NONE it still attempts to verify the certificate 
  es = Elasticsearch(
    hosts=["https://localhost:9200"],
    ssl_context=ssl_context,
    basic_auth=("elastic", "changeme"),
  )
  print(es.info())

[4lissonsilveira]

Hi @b-deam what could be a potential fix? Perhaps defaulting verify_certs to False if ssl_context is specified by the user and verify_certs is not?

e.g.: adding the below block of code to

elasticsearch-py/elasticsearch/_sync/client/utils.py

Line 112 in 650ad2a

# if there is a ssl context, verify_certy should default to False
if (
    node_options.get("ssl_context") and
    node_options.get("verify_certs") is None
):
    node_options["verify_certs"] = False

many thanks!

[pquentin]

@4lissonsilveira Hello! Setting verify_certs to False would break cases where we specify an SSLContext and actually want to verify the certificates.

Anyway, the logic should live in elastic-transport-python (this is where the default value of verify_certs is set to True). It is actually enough to change https://github.com/elastic/elastic-transport-python/blob/65424ca058388b9757c7b64e83fbb129c4833fb5/elastic_transport/_node/_http_urllib3.py#L99 to if ssl_context.verify_mode != ssl.CERT_NONE: and do the same for the requests and aiohttp backends.

Is this something you would like to work on?

[4lissonsilveira]

Hi @pquentin thanks a lot for the info, yeah, I'd like to work on it. I'll take a look at the transport lib.