From 6775bdbd201b36eb2e6223ed1432c067b1faf197 Mon Sep 17 00:00:00 2001 From: Orlando AGESOKO Date: Wed, 24 Dec 2025 16:27:28 +0100 Subject: [PATCH 1/6] transport-netty4 module set TLS SNI when server_name is provided Signed-off-by: Orlando AGESOKO --- .../netty4/ssl/SecureNetty4Transport.java | 31 ++++++++++++++++++- 1 file changed, 30 insertions(+), 1 deletion(-) diff --git a/modules/transport-netty4/src/main/java/org/opensearch/transport/netty4/ssl/SecureNetty4Transport.java b/modules/transport-netty4/src/main/java/org/opensearch/transport/netty4/ssl/SecureNetty4Transport.java index 90a9194d3cfd7..d9e5014a931c3 100644 --- a/modules/transport-netty4/src/main/java/org/opensearch/transport/netty4/ssl/SecureNetty4Transport.java +++ b/modules/transport-netty4/src/main/java/org/opensearch/transport/netty4/ssl/SecureNetty4Transport.java @@ -50,13 +50,18 @@ import org.opensearch.transport.netty4.Netty4Transport; import org.opensearch.transport.netty4.ssl.SecureConnectionTestUtil.SSLConnectionTestResult; +import javax.net.ssl.SNIHostName; +import javax.net.ssl.SNIServerName; import javax.net.ssl.SSLEngine; import javax.net.ssl.SSLException; +import javax.net.ssl.SSLParameters; import java.net.InetSocketAddress; import java.net.SocketAddress; import java.security.AccessController; import java.security.PrivilegedAction; +import java.util.ArrayList; +import java.util.List; import io.netty.channel.Channel; import io.netty.channel.ChannelHandler; @@ -181,6 +186,7 @@ protected static class ClientSSLHandler extends ChannelOutboundHandlerAdapter { private final SecureTransportSettingsProvider secureTransportSettingsProvider; private final boolean hostnameVerificationEnabled; private final boolean hostnameVerificationResovleHostName; + private final String serverName; private ClientSSLHandler( final Settings settings, @@ -192,6 +198,21 @@ private ClientSSLHandler( this.secureTransportSettingsProvider = secureTransportSettingsProvider; this.hostnameVerificationEnabled = hostnameVerificationEnabled; this.hostnameVerificationResovleHostName = hostnameVerificationResovleHostName; + this.serverName = null; + } + + private ClientSSLHandler( + final Settings settings, + final SecureTransportSettingsProvider secureTransportSettingsProvider, + final boolean hostnameVerificationEnabled, + final boolean hostnameVerificationResovleHostName, + final String serverName + ) { + this.settings = settings; + this.secureTransportSettingsProvider = secureTransportSettingsProvider; + this.hostnameVerificationEnabled = hostnameVerificationEnabled; + this.hostnameVerificationResovleHostName = hostnameVerificationResovleHostName; + this.serverName = serverName; } @Override @@ -243,6 +264,13 @@ public void connect(ChannelHandlerContext ctx, SocketAddress remoteAddress, Sock } catch (final SSLException e) { throw ExceptionsHelper.convertToOpenSearchException(e); } + if (serverName != null) { + SSLParameters params = sslEngine.getSSLParameters(); + List serverNames = new ArrayList<>(1); + serverNames.add(new SNIHostName(serverName)); + params.setServerNames(serverNames); + sslEngine.setSSLParameters(params); + } final SslHandler sslHandler = new SslHandler(sslEngine); ctx.pipeline().replace(this, "ssl_client", sslHandler); @@ -299,7 +327,8 @@ protected void initChannel(Channel ch) throws Exception { settings, secureTransportSettingsProvider, hostnameVerificationEnabled, - hostnameVerificationResolveHostName + hostnameVerificationResolveHostName, + node.getAttributes().get("server_name") ) ); } else { From 457db05b0534324cb124cb598364fa2e1bfac1a5 Mon Sep 17 00:00:00 2001 From: Orlando AGESOKO Date: Fri, 2 Jan 2026 10:51:28 +0100 Subject: [PATCH 2/6] add buildSecureClientTransportEngine hook with serverName to handle SNI Signed-off-by: Orlando AGESOKO --- .../plugins/SecureTransportSettingsProvider.java | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/server/src/main/java/org/opensearch/plugins/SecureTransportSettingsProvider.java b/server/src/main/java/org/opensearch/plugins/SecureTransportSettingsProvider.java index 1e60c3f9b0f71..42f33cdab8d98 100644 --- a/server/src/main/java/org/opensearch/plugins/SecureTransportSettingsProvider.java +++ b/server/src/main/java/org/opensearch/plugins/SecureTransportSettingsProvider.java @@ -122,4 +122,17 @@ interface SecureTransportParameters { * @throws SSLException throws SSLException if the {@link SSLEngine} instance cannot be built */ Optional buildSecureClientTransportEngine(Settings settings, String hostname, int port) throws SSLException; + + /** + * If supported, builds the {@link SSLEngine} instance for client transport instance + * @param settings settings + * @param serverName the name to send in the TLS Server Name Indication (SNI) extension + * @param hostname host name + * @param port port + * @return if supported, builds the {@link SSLEngine} instance + * @throws SSLException throws SSLException if the {@link SSLEngine} instance cannot be built + */ + default Optional buildSecureClientTransportEngine(Settings settings, String serverName, String hostname, int port) throws SSLException { + return buildSecureClientTransportEngine(settings, hostname, port); + } } From 5aea68d77a066badc3c2638ee63903f93570a47b Mon Sep 17 00:00:00 2001 From: Orlando AGESOKO Date: Fri, 2 Jan 2026 11:09:24 +0100 Subject: [PATCH 3/6] delegate SNI configuration to the secureTransportSettingsProvider Signed-off-by: Orlando AGESOKO --- .../netty4/ssl/SecureNetty4Transport.java | 22 ++++--------------- 1 file changed, 4 insertions(+), 18 deletions(-) diff --git a/modules/transport-netty4/src/main/java/org/opensearch/transport/netty4/ssl/SecureNetty4Transport.java b/modules/transport-netty4/src/main/java/org/opensearch/transport/netty4/ssl/SecureNetty4Transport.java index d9e5014a931c3..0dc05e062af96 100644 --- a/modules/transport-netty4/src/main/java/org/opensearch/transport/netty4/ssl/SecureNetty4Transport.java +++ b/modules/transport-netty4/src/main/java/org/opensearch/transport/netty4/ssl/SecureNetty4Transport.java @@ -50,18 +50,13 @@ import org.opensearch.transport.netty4.Netty4Transport; import org.opensearch.transport.netty4.ssl.SecureConnectionTestUtil.SSLConnectionTestResult; -import javax.net.ssl.SNIHostName; -import javax.net.ssl.SNIServerName; import javax.net.ssl.SSLEngine; import javax.net.ssl.SSLException; -import javax.net.ssl.SSLParameters; import java.net.InetSocketAddress; import java.net.SocketAddress; import java.security.AccessController; import java.security.PrivilegedAction; -import java.util.ArrayList; -import java.util.List; import io.netty.channel.Channel; import io.netty.channel.ChannelHandler; @@ -194,11 +189,7 @@ private ClientSSLHandler( final boolean hostnameVerificationEnabled, final boolean hostnameVerificationResovleHostName ) { - this.settings = settings; - this.secureTransportSettingsProvider = secureTransportSettingsProvider; - this.hostnameVerificationEnabled = hostnameVerificationEnabled; - this.hostnameVerificationResovleHostName = hostnameVerificationResovleHostName; - this.serverName = null; + this(settings, secureTransportSettingsProvider, hostnameVerificationEnabled, hostnameVerificationResovleHostName, null); } private ClientSSLHandler( @@ -250,12 +241,14 @@ public void connect(ChannelHandlerContext ctx, SocketAddress remoteAddress, Sock sslEngine = secureTransportSettingsProvider.buildSecureClientTransportEngine( settings, + serverName, hostname, inetSocketAddress.getPort() ).orElse(null); } else { - sslEngine = secureTransportSettingsProvider.buildSecureClientTransportEngine(settings, null, -1).orElse(null); + sslEngine = secureTransportSettingsProvider.buildSecureClientTransportEngine(settings, serverName, null, -1) + .orElse(null); } if (sslEngine == null) { @@ -264,13 +257,6 @@ public void connect(ChannelHandlerContext ctx, SocketAddress remoteAddress, Sock } catch (final SSLException e) { throw ExceptionsHelper.convertToOpenSearchException(e); } - if (serverName != null) { - SSLParameters params = sslEngine.getSSLParameters(); - List serverNames = new ArrayList<>(1); - serverNames.add(new SNIHostName(serverName)); - params.setServerNames(serverNames); - sslEngine.setSSLParameters(params); - } final SslHandler sslHandler = new SslHandler(sslEngine); ctx.pipeline().replace(this, "ssl_client", sslHandler); From 848871ab89eba1fd3d21659fbbfa4c4eaf97a03c Mon Sep 17 00:00:00 2001 From: Orlando AGESOKO Date: Fri, 2 Jan 2026 15:23:34 +0100 Subject: [PATCH 4/6] update CHANGELOG.md Signed-off-by: Orlando AGESOKO --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 6956af0501a5f..6b98d27bd36fc 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -22,6 +22,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), - Fix bug in Assertion framework(Yaml Rest test): numeric comparison fails when comparing Integer vs Long (or Float vs Double) ([#19376](https://github.com/opensearch-project/OpenSearch/pull/19376)) - Fix Netty deprecation warnings in transport-netty4 module ([#20233](https://github.com/opensearch-project/OpenSearch/pull/20233)) - Fix snapshot restore when an index sort is present ([#20284](https://github.com/opensearch-project/OpenSearch/pull/20284)) +- Fix `cluster.remote..server_name` setting no populating SNI ([#17316](https://github.com/opensearch-project/OpenSearch/pull/17316)) ### Dependencies - Bump `com.google.auth:google-auth-library-oauth2-http` from 1.38.0 to 1.41.0 ([#20183](https://github.com/opensearch-project/OpenSearch/pull/20183)) From 13d3a22ad0f05644733cc2973f68d7040e56678a Mon Sep 17 00:00:00 2001 From: Orlando AGESOKO Date: Fri, 2 Jan 2026 15:46:42 +0100 Subject: [PATCH 5/6] fix Changelog.md entry pointed to Issue instead of PR Signed-off-by: Orlando AGESOKO --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 6b98d27bd36fc..face870b04191 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -22,7 +22,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), - Fix bug in Assertion framework(Yaml Rest test): numeric comparison fails when comparing Integer vs Long (or Float vs Double) ([#19376](https://github.com/opensearch-project/OpenSearch/pull/19376)) - Fix Netty deprecation warnings in transport-netty4 module ([#20233](https://github.com/opensearch-project/OpenSearch/pull/20233)) - Fix snapshot restore when an index sort is present ([#20284](https://github.com/opensearch-project/OpenSearch/pull/20284)) -- Fix `cluster.remote..server_name` setting no populating SNI ([#17316](https://github.com/opensearch-project/OpenSearch/pull/17316)) +- Fix `cluster.remote..server_name` setting no populating SNI ([#20321](https://github.com/opensearch-project/OpenSearch/pull/20321)) ### Dependencies - Bump `com.google.auth:google-auth-library-oauth2-http` from 1.38.0 to 1.41.0 ([#20183](https://github.com/opensearch-project/OpenSearch/pull/20183)) From edb90c132204ab6f611809500b4d8c3cdef70b9f Mon Sep 17 00:00:00 2001 From: Orlando AGESOKO Date: Tue, 6 Jan 2026 11:25:48 +0100 Subject: [PATCH 6/6] fix format Signed-off-by: Orlando AGESOKO --- .../opensearch/plugins/SecureTransportSettingsProvider.java | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/server/src/main/java/org/opensearch/plugins/SecureTransportSettingsProvider.java b/server/src/main/java/org/opensearch/plugins/SecureTransportSettingsProvider.java index 42f33cdab8d98..f1f8ea17c2e20 100644 --- a/server/src/main/java/org/opensearch/plugins/SecureTransportSettingsProvider.java +++ b/server/src/main/java/org/opensearch/plugins/SecureTransportSettingsProvider.java @@ -132,7 +132,8 @@ interface SecureTransportParameters { * @return if supported, builds the {@link SSLEngine} instance * @throws SSLException throws SSLException if the {@link SSLEngine} instance cannot be built */ - default Optional buildSecureClientTransportEngine(Settings settings, String serverName, String hostname, int port) throws SSLException { + default Optional buildSecureClientTransportEngine(Settings settings, String serverName, String hostname, int port) + throws SSLException { return buildSecureClientTransportEngine(settings, hostname, port); } }