Skip to content

transport-netty4 module set TLS SNI when server_name is provided #20321

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
reta merged 7 commits into from
Jan 6, 2026
Merged

transport-netty4 module set TLS SNI when server_name is provided #20321

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
6775bdb
transport-netty4 module set TLS SNI when server_name is provided
orages Dec 24, 2025
457db05
add buildSecureClientTransportEngine hook with serverName to handle SNI
orages Jan 2, 2026
5aea68d
delegate SNI configuration to the secureTransportSettingsProvider
orages Jan 2, 2026
848871a
update CHANGELOG.md
orages Jan 2, 2026
13d3a22
fix Changelog.md
orages Jan 2, 2026
755a500
Merge branch 'main' into 17316-cross-cluster-search-in-proxy-mode-not…
orages Jan 5, 2026
edb90c1
fix format
orages Jan 6, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions CHANGELOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
- Fix Netty deprecation warnings in transport-netty4 module ([#20233](https://github.com/opensearch-project/OpenSearch/pull/20233))
- Fix snapshot restore when an index sort is present ([#20284](https://github.com/opensearch-project/OpenSearch/pull/20284))
- Fix SearchPhaseExecutionException to properly initCause ([#20320](https://github.com/opensearch-project/OpenSearch/pull/20320))
- Fix `cluster.remote.<cluster_alias>.server_name` setting no populating SNI ([#20321](https://github.com/opensearch-project/OpenSearch/pull/20321))

### Dependencies
- Bump `com.google.auth:google-auth-library-oauth2-http` from 1.38.0 to 1.41.0 ([#20183](https://github.com/opensearch-project/OpenSearch/pull/20183))
Expand Down
19 changes: 17 additions & 2 deletions ...sport-netty4/src/main/java/org/opensearch/transport/netty4/ssl/SecureNetty4Transport.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -181,17 +181,29 @@ protected static class ClientSSLHandler extends ChannelOutboundHandlerAdapter {
private final SecureTransportSettingsProvider secureTransportSettingsProvider;
private final boolean hostnameVerificationEnabled;
private final boolean hostnameVerificationResovleHostName;
private final String serverName;

private ClientSSLHandler(
final Settings settings,
final SecureTransportSettingsProvider secureTransportSettingsProvider,
final boolean hostnameVerificationEnabled,
final boolean hostnameVerificationResovleHostName
) {
this(settings, secureTransportSettingsProvider, hostnameVerificationEnabled, hostnameVerificationResovleHostName, null);
}

private ClientSSLHandler(
final Settings settings,
final SecureTransportSettingsProvider secureTransportSettingsProvider,
final boolean hostnameVerificationEnabled,
final boolean hostnameVerificationResovleHostName,
final String serverName
) {
this.settings = settings;
this.secureTransportSettingsProvider = secureTransportSettingsProvider;
this.hostnameVerificationEnabled = hostnameVerificationEnabled;
this.hostnameVerificationResovleHostName = hostnameVerificationResovleHostName;
this.serverName = serverName;
}

@Override
Expand Down Expand Up @@ -229,12 +241,14 @@ public void connect(ChannelHandlerContext ctx, SocketAddress remoteAddress, Sock

sslEngine = secureTransportSettingsProvider.buildSecureClientTransportEngine(
settings,
serverName,
hostname,
inetSocketAddress.getPort()
).orElse(null);

} else {
sslEngine = secureTransportSettingsProvider.buildSecureClientTransportEngine(settings, null, -1).orElse(null);
sslEngine = secureTransportSettingsProvider.buildSecureClientTransportEngine(settings, serverName, null, -1)
.orElse(null);
}

if (sslEngine == null) {
Expand Down Expand Up @@ -299,7 +313,8 @@ protected void initChannel(Channel ch) throws Exception {
settings,
secureTransportSettingsProvider,
hostnameVerificationEnabled,
hostnameVerificationResolveHostName
hostnameVerificationResolveHostName,
node.getAttributes().get("server_name")
)
);
} else {
Expand Down
14 changes: 14 additions & 0 deletions server/src/main/java/org/opensearch/plugins/SecureTransportSettingsProvider.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -122,4 +122,18 @@ interface SecureTransportParameters {
* @throws SSLException throws SSLException if the {@link SSLEngine} instance cannot be built
*/
Optional<SSLEngine> buildSecureClientTransportEngine(Settings settings, String hostname, int port) throws SSLException;

/**
* If supported, builds the {@link SSLEngine} instance for client transport instance
* @param settings settings
* @param serverName the name to send in the TLS Server Name Indication (SNI) extension
* @param hostname host name
* @param port port
* @return if supported, builds the {@link SSLEngine} instance
* @throws SSLException throws SSLException if the {@link SSLEngine} instance cannot be built
*/
default Optional<SSLEngine> buildSecureClientTransportEngine(Settings settings, String serverName, String hostname, int port)
throws SSLException {
return buildSecureClientTransportEngine(settings, hostname, port);
}
}
Loading