How to disable SSL verification for Elasticsearch RestClient v6.7.0 in Java

Question

I'm trying to connect to an elasticsearch instance which is behind a ssh tunnel. Domain of the elasticsearch instance is *.ap-south-1.es.amazonaws.com while locally on the tunnel, I connect via localhost:9201.

Here is the code I'm using to connect to elasticsearch

RestHighLevelClient(RestClient.builder(HttpHost("localhost", 9201, "https")))

I'm getting the following error

javax.net.ssl.SSLPeerUnverifiedException: Host name 'localhost' does not match the certificate subject provided by the peer (CN=*.ap-south-1.es.amazonaws.com)

I got this error when I was working with PHP-Elasticsearch and I fixed it using

$esClient->setSSLVerification(false);

I was hoping to find a similar method for Java RestClient.

Answer 1

For this you have to disable a setting which verifies the hostname with the name you provided. This is an error of HTTPClient in apache and you have to virtualize the hostname as verified in setSSLHostnameVerifier method like this.

Although this code is in Kotlin but one can write java alternative easily

val builder = RestClient.builder(host).setHttpClientConfigCallback { httpAsyncClientBuilder ->
            httpAsyncClientBuilder.setSSLHostnameVerifier { _, _ -> true }
        }

This will always override your setting for verifying hostname as true.

Here is Java code reference.

RestClientBuilder builder =  RestClient.builder(host);
builder.setHttpClientConfigCallback(httpAsyncClientBuilder ->
   httpAsyncClientBuilder.setSSLHostnameVerifier((host, sslSession) -> true));
new RestHighLevelClient(builder);

Answer 2

Since the hostname in your certificate is not localhost you will have this issue, so to solve it you need to disable SSL hostname verification, by doing the following, return true always and this will skip the verification.

RestClientBuilder restClientBuilder =  RestClient.builder(HttpHost);
restClientBuilder.setHttpClientConfigCallback(httpAsyncClientBuilder ->
   httpAsyncClientBuilder.setSSLHostnameVerifier((s, sslSession) -> true));
new RestHighLevelClient(restClientBuilder);

Answer 3

Full working example for Elastic disabling SSL verification with Spring Boot on Kotlin

import org.apache.http.conn.ssl.NoopHostnameVerifier
import org.apache.http.conn.ssl.TrustAllStrategy
import org.apache.http.impl.nio.client.HttpAsyncClientBuilder
import org.apache.http.ssl.SSLContexts
import org.elasticsearch.client.RestClientBuilder
import org.springframework.boot.autoconfigure.elasticsearch.RestClientBuilderCustomizer

@Configuration
@ConditionalOnProperty(name = ["spring.elasticsearch.rest.ssl.disable"], havingValue = "DISABLE_SSL")
class ElasticSSLCertDisableConfig {

    private val sslContext = SSLContexts.custom()
        .loadTrustMaterial(null, TrustAllStrategy.INSTANCE)
        .build()

    @Bean
    fun restClientBuilderCustomizer() = object : RestClientBuilderCustomizer {
        override fun customize(builder: HttpAsyncClientBuilder) {
            builder.setSSLContext(sslContext)
            builder.setSSLHostnameVerifier(NoopHostnameVerifier.INSTANCE)
        }

        override fun customize(builder: RestClientBuilder) {}
    }
}

ATTENTION: Use it for development environment only.

Answer 4

I hope this would give a complete answer.

hope this will help you, I had the same problem and this is how I resolved.

    @Bean
        public RestHighLevelClient createSimpleElasticClient() throws Exception {
            try {
                SSLContextBuilder sslBuilder = SSLContexts.custom()
                        .loadTrustMaterial(null, (x509Certificates, s) -> true);
                        final SSLContext sslContext = sslBuilder.build();
                RestHighLevelClient client = new RestHighLevelClient(RestClient
                        .builder(new HttpHost(hostNameOrLoadbalancerURL, 443, "https")) 
//port number is given as 443 since its https schema
                        .setHttpClientConfigCallback(new HttpClientConfigCallback() {
                            @Override
                            public HttpAsyncClientBuilder customizeHttpClient(HttpAsyncClientBuilder httpClientBuilder) {
                                return httpClientBuilder
                                         .setSSLContext(sslContext)
                                         .setSSLHostnameVerifier(NoopHostnameVerifier.INSTANCE);
                            }
                        })
                        .setRequestConfigCallback(new RestClientBuilder.RequestConfigCallback() {
                            @Override
                            public RequestConfig.Builder customizeRequestConfig(
                                    RequestConfig.Builder requestConfigBuilder) {
                                return requestConfigBuilder.setConnectTimeout(5000)
                                        .setSocketTimeout(120000);
                            }
                        }));
                System.out.println("elasticsearch client created");
                return client;
            } catch (Exception e) {
                System.out.println(e);
                throw new Exception("Could not create an elasticsearch client!!");
            }
        }