Skip to content

[BUG] OS handshake fails on certificate containing UPN in the Subject Alternative Names #6090

Open
#6137
Open
[BUG] OS handshake fails on certificate containing UPN in the Subject Alternative Names#6090
#6137
Labels
bugSomething isn't workinggood first issueThese are recommended starting points for newcomers looking to make their first contributions.triagedIssues labeled as 'Triaged' have been reviewed and are deemed actionable.
@ivanovrvl

Description

@ivanovrvl
ivanovrvl
opened on Apr 14, 2026

Node handshake fails when peer's SSL certificate contains OID="1.3.6.1.4.1.311.20.2.3" field in the Subject Alternative Names

[2026-04-14T13:36:08,707][WARN ][o.o.d.HandshakingTransportAddressConnector] [***1OSL] handshake failed for [connectToRemoteMasterNode[***.61:9300]]
org.opensearch.transport.RemoteTransportException: [***2OSL][**.61:9300][internal:transport/handshake]
Caused by: org.opensearch.core.common.io.stream.NotSerializableExceptionWrapper: class_cast_exception: class java.lang.String cannot be cast to class java.lang.Integer (java.lang.String and java.lang.Integer are in module java.base of loader 'bootstrap')
        at org.opensearch.security.transport.DefaultInterClusterRequestEvaluator.isInterClusterRequest(DefaultInterClusterRequestEvaluator.java:135) ~[?:?]
        at org.opensearch.security.transport.SecurityRequestHandler.addAdditionalContextValues(SecurityRequestHandler.java:359) ~[?:?]
        at org.opensearch.security.ssl.transport.SecuritySSLRequestHandler.messageReceived(SecuritySSLRequestHandler.java:139) ~[?:?]
        at org.opensearch.security.OpenSearchSecurityPlugin$6$1.messageReceived(OpenSearchSecurityPlugin.java:795) ~[?:?]
        at org.opensearch.indexmanagement.rollup.interceptor.RollupInterceptor$interceptHandler$1.messageReceived(RollupInterceptor.kt:114)

How to reproduce:
Use peer`s certificates issued by Windows CA

Fix
org.opensearch.security.transport.DefaultInterClusterRequestEvaluator#isInterClusterRequest
must not iterate over the items included in the list returned by cert.getSubjectAlternativeNames(). Some items might contain more than 2 values but only first contains Integer id.

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't workinggood first issueThese are recommended starting points for newcomers looking to make their first contributions.triagedIssues labeled as 'Triaged' have been reviewed and are deemed actionable.

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions