transport-netty4 module set TLS SNI when server_name is provided (#20321)

* transport-netty4 module set TLS SNI when server_name is provided

Signed-off-by: Orlando AGESOKO <orlando.agesoko@soheito.moe>

* add buildSecureClientTransportEngine hook with serverName to handle SNI

Signed-off-by: Orlando AGESOKO <orlando.agesoko@soheito.moe>

* delegate SNI configuration to the secureTransportSettingsProvider

Signed-off-by: Orlando AGESOKO <orlando.agesoko@soheito.moe>

* update CHANGELOG.md

Signed-off-by: Orlando AGESOKO <orlando.agesoko@soheito.moe>

* fix Changelog.md

entry pointed to Issue instead of PR

Signed-off-by: Orlando AGESOKO <orlando.agesoko@soheito.moe>

* fix format

Signed-off-by: Orlando AGESOKO <orlando.agesoko@soheito.moe>

---------

Signed-off-by: Orlando AGESOKO <orlando.agesoko@soheito.moe>

Author: orages

CHANGELOG.md

@@ -28,6 +28,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 - Fix Netty deprecation warnings in transport-netty4 module ([#20233](https://github.com/opensearch-project/OpenSearch/pull/20233))
 - Fix snapshot restore when an index sort is present ([#20284](https://github.com/opensearch-project/OpenSearch/pull/20284))
 - Fix SearchPhaseExecutionException to properly initCause ([#20320](https://github.com/opensearch-project/OpenSearch/pull/20320))
+- Fix `cluster.remote.<cluster_alias>.server_name` setting no populating SNI ([#20321](https://github.com/opensearch-project/OpenSearch/pull/20321))
 
 ### Dependencies
 - Bump `com.google.auth:google-auth-library-oauth2-http` from 1.38.0 to 1.41.0 ([#20183](https://github.com/opensearch-project/OpenSearch/pull/20183))

modules/transport-netty4/src/main/java/org/opensearch/transport/netty4/ssl/SecureNetty4Transport.java

@@ -181,17 +181,29 @@ protected static class ClientSSLHandler extends ChannelOutboundHandlerAdapter {
         private final SecureTransportSettingsProvider secureTransportSettingsProvider;
         private final boolean hostnameVerificationEnabled;
         private final boolean hostnameVerificationResovleHostName;
+        private final String serverName;
 
         private ClientSSLHandler(
             final Settings settings,
             final SecureTransportSettingsProvider secureTransportSettingsProvider,
             final boolean hostnameVerificationEnabled,
             final boolean hostnameVerificationResovleHostName
+        ) {
+            this(settings, secureTransportSettingsProvider, hostnameVerificationEnabled, hostnameVerificationResovleHostName, null);
+        }
+
+        private ClientSSLHandler(
+            final Settings settings,
+            final SecureTransportSettingsProvider secureTransportSettingsProvider,
+            final boolean hostnameVerificationEnabled,
+            final boolean hostnameVerificationResovleHostName,
+            final String serverName
         ) {
             this.settings = settings;
             this.secureTransportSettingsProvider = secureTransportSettingsProvider;
             this.hostnameVerificationEnabled = hostnameVerificationEnabled;
             this.hostnameVerificationResovleHostName = hostnameVerificationResovleHostName;
+            this.serverName = serverName;
         }
 
         @Override
@@ -229,12 +241,14 @@ public void connect(ChannelHandlerContext ctx, SocketAddress remoteAddress, Sock
 
                     sslEngine = secureTransportSettingsProvider.buildSecureClientTransportEngine(
                         settings,
+                        serverName,
                         hostname,
                         inetSocketAddress.getPort()
                     ).orElse(null);
 
                 } else {
-                    sslEngine = secureTransportSettingsProvider.buildSecureClientTransportEngine(settings, null, -1).orElse(null);
+                    sslEngine = secureTransportSettingsProvider.buildSecureClientTransportEngine(settings, serverName, null, -1)
+                        .orElse(null);
                 }
 
                 if (sslEngine == null) {
@@ -299,7 +313,8 @@ protected void initChannel(Channel ch) throws Exception {
                             settings,
                             secureTransportSettingsProvider,
                             hostnameVerificationEnabled,
-                            hostnameVerificationResolveHostName
+                            hostnameVerificationResolveHostName,
+                            node.getAttributes().get("server_name")
                         )
                     );
             } else {

server/src/main/java/org/opensearch/plugins/SecureTransportSettingsProvider.java

@@ -122,4 +122,18 @@ interface SecureTransportParameters {
      * @throws SSLException throws SSLException if the {@link SSLEngine} instance cannot be built
      */
     Optional<SSLEngine> buildSecureClientTransportEngine(Settings settings, String hostname, int port) throws SSLException;
+
+    /**
+     * If supported, builds the {@link SSLEngine} instance for client transport instance
+     * @param settings settings
+     * @param serverName the name to send in the TLS Server Name Indication (SNI) extension
+     * @param hostname host name
+     * @param port port
+     * @return if supported, builds the {@link SSLEngine} instance
+     * @throws SSLException throws SSLException if the {@link SSLEngine} instance cannot be built
+     */
+    default Optional<SSLEngine> buildSecureClientTransportEngine(Settings settings, String serverName, String hostname, int port)
+        throws SSLException {
+        return buildSecureClientTransportEngine(settings, hostname, port);
+    }
 }