[BUG] Flight transport doesn't honours the enforce_hostname_verification setting #19578
Description
Describe the bug
On disabling transport.ssl.enforce_hostname_verification, flight transport still uses goes through hostname verification. Ideally, it should honour this setting and skip verification.
Related component
Storage:Performance
To Reproduce
- Enable security and flight transport with ssl -
opensearch.experimental.feature.transport.stream.enabled: true
transport.stream.type.default: FLIGHT-SECURE
flight.ssl.enable: true
arrow.flight.host: 0.0.0.0
plugins.security.ssl.transport.enabled: true
plugins.security.ssl.transport.pemcert_filepath: certificates/opensearch-node1.pem
plugins.security.ssl.transport.pemkey_filepath: certificates/opensearch-node1-key.pem
plugins.security.ssl.transport.pemtrustedcas_filepath: certificates/root-ca.pem
transport.ssl.enforce_hostname_verification: false
- Start the multi-node cluster with right ceritificates and security plugin enabled.
- Enable stream search
"stream.search.enabled"and hit search with term agg on some high cardinality field, this enables stream search path. It results in following error coming from stream transport -
opensearch-node1 | [2025-10-04T01:03:37,887][WARN ][o.o.a.f.t.FlightTransportResponse] [opensearch-node1] Stream initialization failed
opensearch-node1 | org.apache.arrow.flight.FlightRuntimeException: io exception
opensearch-node1 | Channel Pipeline: [SslHandler#0, ProtocolNegotiators$ClientTlsHandler#0, WriteBufferingAndExceptionHandler#0, DefaultChannelPipeline$TailContext#0]
opensearch-node1 | at org.apache.arrow.flight.CallStatus.toRuntimeException(CallStatus.java:121) ~[?:?]
opensearch-node1 | at org.apache.arrow.flight.grpc.StatusUtils.fromGrpcRuntimeException(StatusUtils.java:161) ~[?:?]
opensearch-node1 | at org.apache.arrow.flight.grpc.StatusUtils.fromThrowable(StatusUtils.java:182) ~[?:?]
opensearch-node1 | at org.apache.arrow.flight.FlightStream$Observer.onError(FlightStream.java:489) ~[?:?]
opensearch-node1 | at org.apache.arrow.flight.FlightClient$1.onError(FlightClient.java:371) ~[?:?]
opensearch-node1 | at io.grpc.stub.ClientCalls$StreamObserverToCallListenerAdapter.onClose(ClientCalls.java:581) ~[?:?]
opensearch-node1 | at io.grpc.PartialForwardingClientCallListener.onClose(PartialForwardingClientCallListener.java:39) ~[?:?]
opensearch-node1 | at io.grpc.ForwardingClientCallListener.onClose(ForwardingClientCallListener.java:23) ~[?:?]
opensearch-node1 | at io.grpc.ForwardingClientCallListener$SimpleForwardingClientCallListener.onClose(ForwardingClientCallListener.java:40) ~[?:?]
opensearch-node1 | at org.apache.arrow.flight.grpc.ClientInterceptorAdapter$FlightClientCallListener.onClose(ClientInterceptorAdapter.java:118) ~[?:?]
opensearch-node1 | at io.grpc.internal.ClientCallImpl.closeObserver(ClientCallImpl.java:565) ~[?:?]
opensearch-node1 | at io.grpc.internal.ClientCallImpl.access$100(ClientCallImpl.java:72) ~[?:?]
opensearch-node1 | at io.grpc.internal.ClientCallImpl$ClientStreamListenerImpl$1StreamClosed.runInternal(ClientCallImpl.java:733) ~[?:?]
opensearch-node1 | at io.grpc.internal.ClientCallImpl$ClientStreamListenerImpl$1StreamClosed.runInContext(ClientCallImpl.java:714) ~[?:?]
opensearch-node1 | at io.grpc.internal.ContextRunnable.run(ContextRunnable.java:37) ~[?:?]
opensearch-node1 | at io.grpc.internal.SerializingExecutor.run(SerializingExecutor.java:133) ~[?:?]
opensearch-node1 | at org.opensearch.common.util.concurrent.ThreadContext$ContextPreservingRunnable.run(ThreadContext.java:916) ~[opensearch-3.3.0.jar:3.3.0]
opensearch-node1 | at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1095) ~[?:?]
opensearch-node1 | at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:619) ~[?:?]
opensearch-node1 | at java.base/java.lang.Thread.run(Thread.java:1447) [?:?]
opensearch-node1 | Caused by: javax.net.ssl.SSLHandshakeException: (certificate_unknown) No subject alternative names matching IP address 172.18.0.3 found
opensearch-node1 | at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:130) ~[?:?]
opensearch-node1 | at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:376) ~[?:?]
opensearch-node1 | at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:319) ~[?:?]
opensearch-node1 | at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:314) ~[?:?]
opensearch-node1 | at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1335) ~[?:?]
opensearch-node1 | at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.onConsumeCertificate(CertificateMessage.java:1212) ~[?:?]
opensearch-node1 | at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.consume(CertificateMessage.java:1155) ~[?:?]
opensearch-node1 | at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:393) ~[?:?]
opensearch-node1 | at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:476) ~[?:?]
opensearch-node1 | at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask.run(SSLEngineImpl.java:1207) ~[?:?]
opensearch-node1 | at io.netty.handler.ssl.SslHandler$SslTasksRunner.run(SslHandler.java:1933) ~[?:?]
opensearch-node1 | ... 3 more
opensearch-node1 | Caused by: java.security.cert.CertificateException: No subject alternative names matching IP address 172.18.0.3 found
opensearch-node1 | at java.base/sun.security.util.HostnameChecker.matchIP(HostnameChecker.java:160) ~[?:?]
opensearch-node1 | at java.base/sun.security.util.HostnameChecker.match(HostnameChecker.java:101) ~[?:?]
opensearch-node1 | at java.base/sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:466) ~[?:?]
opensearch-node1 | at java.base/sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:432) ~[?:?]
opensearch-node1 | at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:291) ~[?:?]
opensearch-node1 | at java.base/sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:144) ~[?:?]
opensearch-node1 | at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1313) ~[?:?]
opensearch-node1 | at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.onConsumeCertificate(CertificateMessage.java:1212) ~[?:?]
opensearch-node1 | at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.consume(CertificateMessage.java:1155) ~[?:?]
opensearch-node1 | at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:393) ~[?:?]
opensearch-node1 | at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:476) ~[?:?]
opensearch-node1 | at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask.run(SSLEngineImpl.java:1207) ~[?:?]
opensearch-node1 | at io.netty.handler.ssl.SslHandler$SslTasksRunner.run(SslHandler.java:1933) ~[?:?]
Expected behavior
skip hostname verification in flight transport when enforce_hostname_verification is false
Additional Details
Plugins
security, arrow-flight-rpc
Screenshots
If applicable, add screenshots to help explain your problem.
Host/Environment (please complete the following information):
- OS: [e.g. iOS]
- Version [e.g. 22]
Additional context
Add any other context about the problem here.
Metadata
Metadata
Assignees
Type
Projects
Status