Uploaded image for project: 'Nuxeo Platform'
  1. Nuxeo Platform
  2. NXP-31837

Add an option to disable hostname verification during Elastic/Opensearch SSL handshake

    XMLWordPrintable

    Details

    • Type: Improvement
    • Status: Resolved
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 2023.0, 2021.37
    • Component/s: Elasticsearch
    • Release Notes Summary:
      A property is added to disable hostname verification during SSL handshake with Elasticsearch.
    • Tags:
    • Upgrade notes:
      Hide

      You can now use elasticsearch.restClient.ssl.certificate.verification=false to disable hostname verification during SSL handshake for accessing a testing instance of OpenSearch or Elasticsearch running with a test certificate.

      Show
      You can now use elasticsearch.restClient.ssl.certificate.verification=false to disable hostname verification during SSL handshake for accessing a testing instance of OpenSearch or Elasticsearch running with a test certificate.
    • Team:
      PLATFORM
    • Sprint:
      nxplatform #85, nxplatform #86
    • Story Points:
      1

      Description

      When Elastic or OpenSearch is configured with SSL, there is a verification of the hostname during SSL handshake, this can be tricky to handle on test instance where certificate already exists and doesn't match node hostname, in this case it fails with error like:

      Unable to connect to Elasticsearch: https://elastic:9200
org.nuxeo.launcher.config.ConfigurationException: Unable to connect to Elasticsearch: https://elastic:9200
        at org.nuxeo.elasticsearch.ElasticSearchChecker.getHealthStatus(ElasticSearchChecker.java:89) ~[nuxeo-elasticsearch-core-2021.37-SNAPSHOT.jar:?]
...
Caused by: org.nuxeo.ecm.core.api.NuxeoException: java.io.IOException: Host name 'elastic' does not match the certificate subject provided by the peer (CN=node-0.example.com, OU=node, O=node, L=test, DC=de)
        at org.nuxeo.elasticsearch.client.ESRestClient.performRequest(ESRestClient.java:247) ~[nuxeo-elasticsearch-core-2021.37-SNAPSHOT.jar:?]
...
Caused by: java.io.IOException: Host name 'elastic' does not match the certificate subject provided by the peer (CN=node-0.example.com, OU=node, O=node, L=test, DC=de)
        at org.elasticsearch.client.RestClient.extractAndWrapCause(RestClient.java:854) ~[elasticsearch-rest-client-7.9.2.jar:7.9.2]
 ...
Caused by: javax.net.ssl.SSLPeerUnverifiedException: Host name 'elastic' does not match the certificate subject provided by the peer (CN=node-0.example.com, OU=node, O=node, L=test, DC=de)
        at org.apache.http.nio.conn.ssl.SSLIOSessionStrategy.verifySession(SSLIOSessionStrategy.java:209) ~[httpasyncclient-4.1.4.jar:4.1.4]
        at org.apache.http.nio.conn.ssl.SSLIOSessionStrategy$1.verify(SSLIOSessionStrategy.java:188) ~[httpasyncclient-4.1.4.jar:4.1.4]
        at org.apache.http.nio.reactor.ssl.SSLIOSession.doHandshake(SSLIOSession.java:371) ~[httpcore-nio-4.4.13.jar:4.4.13]

      It is common to have an option to skip certificate verification on client side.

        Attachments

          Issue Links

          is related to

          Bug - A problem which impairs or prevents the functions of the product. NXP-31771 Can't full reindex with aliases on OpenSearch with security plugin

          • Major - Major loss of function.
          • Resolved

            Activity

              People

              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: