From 71d2407a78c9ddc351c0c7d384fd69d417a5bff1 Mon Sep 17 00:00:00 2001 From: Patrick Mueller Date: Mon, 1 Mar 2021 16:30:21 -0500 Subject: [PATCH] [actions] for simplistic email servers, set rejectUnauthorized to false (#91760) resolves https://github.com/elastic/kibana/issues/91686 The poor email action has not had great success in setting TLS options correctly. Prior to 7.11, it was basically always setting `rejectUnauthorized` to false, so was never validating certificates. Starting in 7.11.0, it started respecting TLS certificates, but there are some simple/test servers in use that use self-signed certificates. The real fix for this will be the resolution of issue https://github.com/elastic/kibana/issues/80120 , but until then, this PR does a special-case check if the `secure` option is off (so the email client connects with a plain socket and then upgrades to TLS via STARTTLS) and both the user and password for the server are not set, then it will use `rejectUnauthorized: false`. Otherwise, it uses the global configured value of this setting. This also changes some other cases, where `secure: true` often did not set any `rejectUnauthorized` property at all, and so did not get verified. Now in all cases, `rejectUnauthorized` will be set, and the value will correspond to the globally configured value, except for the special case checked here, and when a proxy is in use (that logic did not change). So it is possible this would break customers, who were using insecure servers and email action worked, but with this fix the connections will be rejected. They should have been rejected all this time though. The work-around for this problem, if we don't implement a fix like this, is that customers will need to set the global `rejectUnauthorized` to `false`, which means NONE of their TLS connections for any actions will be verified. Which seems extreme. --- .../builtin_action_types/lib/send_email.test.ts | 5 ++++- .../server/builtin_action_types/lib/send_email.ts | 11 +++++++---- 2 files changed, 11 insertions(+), 5 deletions(-) diff --git a/x-pack/plugins/actions/server/builtin_action_types/lib/send_email.test.ts b/x-pack/plugins/actions/server/builtin_action_types/lib/send_email.test.ts index c6317a6a980bb..cc3f03f50c36f 100644 --- a/x-pack/plugins/actions/server/builtin_action_types/lib/send_email.test.ts +++ b/x-pack/plugins/actions/server/builtin_action_types/lib/send_email.test.ts @@ -138,7 +138,7 @@ describe('send_email module', () => { "port": 1025, "secure": false, "tls": Object { - "rejectUnauthorized": true, + "rejectUnauthorized": false, }, }, ] @@ -187,6 +187,9 @@ describe('send_email module', () => { "host": "example.com", "port": 1025, "secure": true, + "tls": Object { + "rejectUnauthorized": true, + }, }, ] `); diff --git a/x-pack/plugins/actions/server/builtin_action_types/lib/send_email.ts b/x-pack/plugins/actions/server/builtin_action_types/lib/send_email.ts index 79842f4aec02b..d4905015f7663 100644 --- a/x-pack/plugins/actions/server/builtin_action_types/lib/send_email.ts +++ b/x-pack/plugins/actions/server/builtin_action_types/lib/send_email.ts @@ -80,10 +80,13 @@ export async function sendEmail(logger: Logger, options: SendEmailOptions): Prom }; transportConfig.proxy = proxySettings.proxyUrl; transportConfig.headers = proxySettings.proxyHeaders; - } else if (!transportConfig.secure) { - transportConfig.tls = { - rejectUnauthorized, - }; + } else if (!transportConfig.secure && user == null && password == null) { + // special case - if secure:false && user:null && password:null set + // rejectUnauthorized false, because simple/test servers that don't even + // authenticate rarely have valid certs; eg cloud proxy, and npm maildev + transportConfig.tls = { rejectUnauthorized: false }; + } else { + transportConfig.tls = { rejectUnauthorized }; } }