OpenSearch 3.5 ignores verify_hostnames: false in OpenID config and fails with SAN hostname validation error

shubtiwa · March 2, 2026, 2:09pm

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser): 3.5

Describe the issue:

We are configuring OpenSearch 3.5 to use OpenID authentication with Keycloak as the IdP. Our OpenSearch security configuration includes the following OpenID settings:

"authc": {
  "openid_auth_domain": {
    "http_enabled": true,
    "order": 1,
    "http_authenticator": {
      "challenge": false,
      "type": "openid",
      "config": {
        "subject_key": "preferred_username",
        "roles_key": "roles",
        "openid_connect_url": "https://ckey-ckey.xyz-ckey.svc.cluster.local:8443/access/realms/xyz-realm/.well-known/openid-configuration",
        "openid_connect_idp": {
          "enable_ssl": true,
          "verify_hostnames": false,
          "trust_all": false,
          "pemtrustedcas_filepath": "/etc/opensearch/config/certs/keycloakRootCaPem"
        }
      }
    }
  }
}

Despite setting:

"verify_hostnames": false

OpenSearch still performs hostname verification and fails with the following error:

org.opensearch.security.auth.http.jwt.keybyoidc.AuthenticatorUnavailableException: Error while getting https://ckey-ckey.xyz-ckey.svc.cluster.local:8443/access/realms/xyz-realm/.well-known/openid-configuration: javax.net.ssl.SSLHandshakeException: No subject alternative DNS name matching ckey-ckey.xyz-ckey.svc.cluster.local found

Stack trace shows failure originating from:

org.opensearch.security.auth.http.jwt.keybyoidc.KeySetRetriever org.opensearch.security.auth.http.jwt.keybyoidc.SelfRefreshingKeySet

Observed Behaviour:

OpenSearch attempts to validate hostname against certificate SAN even though:

verify_hostnames: false

is configured.

Expected Behaviour:

When:

verify_hostnames: false

is set, OpenSearch should skip hostname verification for the IdP TLS connection, similar to behavior in OpenSearch 2.x.

Observation:

This exact configuration works correctly in OpenSearch 2.x, where hostname verification is properly skipped when verify_hostnames is set to false.

The issue only appears in OpenSearch 3.x.

Is this expected behavior in OpenSearch 3.x?
Is this a known limitation or regression compared to OpenSearch 2.x?
Is there any supported way to disable hostname verification for OpenID IdP connections in OpenSearch 3.x?
Or is it mandatory that IdP certificate SAN must match the exact hostname?

Thanks!

pablo · March 2, 2026, 2:15pm

@shubtiwa Which version of 2.x you had that configuration working?

shubtiwa · March 2, 2026, 2:21pm

Opensearch version 2.19.4

Pratiksha · March 4, 2026, 7:53am

Hi @pablo
Any update on this?
Kindly look into this asap.

pablo · March 4, 2026, 7:03pm

@Pratiksha @shubtiwa I can confirm that the verify_hostnames option in the OpenID configuration is always set to true. Security plugin ignores these settings.
According to my test, the latest working version was 2.19.4. The issue started in 3.0.0

I’ve updated this GitHub issue with my findings.

github.com/opensearch-project/OpenSearch

[BUG] Security Plugin: verify_hostnames: false setting in openid_connect_idp is ignored in OpenSearch 3.5.0 — regression from 2.19.3

opened 06:13PM - 02 Mar 26 UTC

RamHaridas

bug untriaged Plugins

### Describe the bug When configuring OpenID Connect authentication in the secu…rity plugin's `config.yml`, the `openid_connect_idp.verify_hostnames: false` setting is not honored in OpenSearch 3.5.0. Hostname verification is still enforced by the Java TLS stack, causing `SSLHandshakeException` when the IdP certificate does not have a Subject Alternative Name (SAN) matching the IdP hostname. This is a regression from OpenSearch 2.19.3 where the same configuration works correctly. **Error log from OpenSearch**: ``` org.opensearch.security.auth.http.jwt.keybyoidc.AuthenticatorUnavailableException: Error while getting https://ckey-ckey.fpm-ckey.svc.cluster.local:8443/access/realms/fpm-realm/.well-known/openid-configuration: javax.net.ssl.SSLHandshakeException: (certificate_unknown) No subject alternative DNS name matching ckey-ckey.fpm-ckey.svc.cluster.local found. at o.o.s.a.h.j.keybyoidc.KeySetRetriever.getJwksUri(KeySetRetriever.java:245) at o.o.s.a.h.j.keybyoidc.KeySetRetriever.get(KeySetRetriever.java:108) at o.o.s.a.h.j.keybyoidc.SelfRefreshingKeySet$1.run(SelfRefreshingKeySet.java:213) Caused by: javax.net.ssl.SSLHandshakeException: (certificate_unknown) No subject alternative DNS name matching ckey-ckey.fpm-ckey.svc.cluster.local found. at java.base/sun.security.ssl.X509TrustManagerImpl.checkIdentity(Unknown Source) at org.apache.hc.client5.http.ssl.AbstractClientTlsStrategy.executeHandshake(AbstractClientTlsStrategy.java:245) at org.apache.hc.client5.http.ssl.DefaultClientTlsStrategy.upgrade(DefaultClientTlsStrategy.java:48) at org.apache.hc.client5.http.impl.io.DefaultHttpClientConnectionOperator.upgradeToTls(DefaultHttpClientConnectionOperator.java:263) at o.o.s.a.h.j.keybyoidc.KeySetRetriever.getJwksUri(KeySetRetriever.java:218) ``` ### Related component Plugins ### To Reproduce 1. Deploy a Keycloak (or any OIDC IdP) with a self-signed TLS certificate that has **no SAN** (only CN): ``` Subject: CN=ckey.com Issuer: CN=ckey.com ``` IdP accessible at: `ckey-ckey.fpm-ckey.svc.cluster.local:8443` 2. Configure the security plugin `config.yml` with OpenID Connect and hostname verification disabled: ```yaml authc: openid_auth_domain: http_enabled: true transport_enabled: false order: 1 http_authenticator: type: openid challenge: false config: subject_key: preferred_username roles_key: roles openid_connect_url: "https://ckey-ckey.fpm-ckey.svc.cluster.local:8443/access/realms/fpm-realm/.well-known/openid-configuration" openid_connect_idp: enable_ssl: true verify_hostnames: false trust_all: false pemtrustedcas_filepath: "/etc/opensearch/config/certs/keycloakRootCaPem" authentication_backend: type: noop ``` 3. Obtain a valid JWT token from the IdP and send a request to OpenSearch: ```bash curl -k https://opensearch:9200/_cat/indices?v \ -H "Authorization: Bearer <valid_jwt_token>" ``` 4. Observe HTTP 401 with body `Authentication finally failed`. ### Expected behavior OpenSearch should skip hostname verification when `verify_hostnames: false` is set, validate the JWT successfully, and return HTTP 200. This is the behavior in OpenSearch 2.19.3. ### Additional Details **Plugins** opensearch-security **Screenshots** If applicable, add screenshots to help explain your problem. **Host/Environment (please complete the following information):** - OS: Rocky 8 - Version: 3.5.0 - **Additional context given by AI** OpenSearch 3.5.0 migrated from Apache HttpClient 4.x to 5.x. In HttpClient 5, hostname verification is performed by the JVM via `SSLParameters.setEndpointIdentificationAlgorithm("HTTPS")` inside `DefaultClientTlsStrategy`. The `KeySetRetriever` does not set this to `null` when `verify_hostnames: false`, so the JVM enforces hostname checking regardless of the plugin setting.

Topic		Replies	Views
Hostname verification failure with keystore-trustore Security	6	899	February 21, 2024
Hostname verification failure Security security-issue	17	2287	January 29, 2024
Issue with OpenID Connect (OIDC) and TLS Security security-issue	6	1070	April 4, 2023
"Exception during establishing a SSL connection: javax.net.ssl.SSLHandshakeException" After upgrading to OpenSearch 3.3 Security troubleshoot	5	225	October 30, 2025
Opensearch-Dashboards + Okta (OpenID Connect) Security discuss , troubleshoot , configure	4	1278	September 5, 2022

OpenSearch 3.5 ignores verify_hostnames: false in OpenID config and fails with SAN hostname validation error

Related topics