In my opinion, applying additional authorization on transport port might be an over kill in the long term, given that even ES does not recommend using transport port for data operations as there is very less to gain and more complexity involved. Moreover, ES is trying to push their Java REST client for data access. So in the long run, in my opinion, its not worthwhile.
So my take is to just apply SSL and certificate authorization on transport port so that transport port is just restricted to node to node communications and all other operations are carried out on the http port.
Now coming to making it a separate plugin, though it might appear that it will make it plug and play and use as required(just for http and just for transport), security for ES should be seen as a single solution. For me, it makes sense to add it to ROR only as transport port security is going to be bare minimum feature. Moreover, it also adds more work for the consumers if they now have install 2 plugins and test them out separately. Even if you develop this as a separate project, with ability to install it separately, from ROR packaging perspective, I would recommend that ROR include it as part of standard package with a single install.
Also, enabling or disabling SSL should just be one feature. It really makes no sense to keep these as separate options. Who would want to enable SSL only on one port and leave the other without SSL?