Enforce Hostname Verification

Hi :wave:

I just would like to comment that was difficult to me to set plugins.security.ssl.transport.enforce_hostname_verification: true using the current documentation. First my initial master node logs was showing SSL Problem Insufficient buffer remaining for AEAD cipher fragment (2). Needs to be more than tag size (16) which wasn’t very helpful to debug.

The other node was showing logs complaining about No subject alternative names, which helped me a little bit. In the end the problem was that my self-signed certificates for nodes, didn’t have SAN, but in order yo have it, I had to have a openssl.conf whith the following content:

[req]
distinguished_name = dn
req_extensions     = v3_req
prompt             = no

[dn]
C="CA"
ST="ONTARIO"
L="TORONTO"
O="Canonical"
OU="Data Platform"
CN=<fqdn>

[v3_req]
subjectAltName = @alt_names

[alt_names]
IP =<IP>
DNS.1 = <fqdn>
DNS.2 =<hostname>

And then run the command:

openssl x509 -req -in node1.csr -CA root-ca.pem -CAkey root-ca-key.pem -CAcreateserial -sha256 -out node1.pem -days 730 -extfile openssl.conf -extensions v3_req

After this, I was able to check that SAN was present in the certificate by running:
openssl x509 -noout -ext subjectAltName -in node1.pem

Without using this v3, SAN it’s not available in the certs.

I didn’t find anywhere in the documentation things that would help me solve this. The troubleshoot regarding Check SAN hostnames and IP addresses it’s not clear to me what are the commands necessary to get the information. I also had problems using keytool -list -v -keystore keystore.jks. It seems this doesn’t work out of the box. Maybe, it’s my lack of experience with TLS, Java and OpenSearch, but definitely having some more tips in the documentation will help a lot future travelers.

Another thing just happened regarding this topic (Enforce Hostname Verification).

To set a CCR (Cross Cluster Replication) the documentation in Permissions uses the endpoint /_plugins/_security/api/ssl/certs?pretty that seems it doesn’t exist:

"error" : "no handler found for uri [/_plugins/_security/api/ssl/certs?pretty] and method [GET]"

Then I just got the CN without the other parameters like OU, O, L, ST, C and added in the opensearch.yml file. This resulted in this error:

"error" : {\n    "root_cause" : [\n      {\n        "type" : "exception",\n        "reason" : "Illegal parameter in http or transport request found.\\nThis means that one node is trying to connect to another with \\na non-node certificate (no OID or security.nodes_dn incorrect configured) or that someone \\nis spoofing requests. Check your TLS certificate setup as described here: See https://opendistro.github.io/for-elasticsearch-docs/docs/troubleshoot/tls/"\n      }\n    ],\n    "type" : "exception",\n    "reason" : "Illegal parameter in http or transport request found.\\nThis means that one node is trying to connect to another with \\na non-node certificate (no OID or security.nodes_dn incorrect configured) or that someone \\nis spoofing requests. Check your TLS certificate setup as described here: See https://opendistro.github.io/for-elasticsearch-docs/docs/troubleshoot/tls/"

Using the full DN like the output from openssl x509 -subject -nameopt RFC2253 -noout -in foo.cert solved the issue.

Maybe in the example it was not passed those other parameters for the certificate in the follower cluster, but it is a little bit misleading.