connecting to opensearch via ipv6

[jahlives]

Steps to replicate

Provide example config and message

host "[ipv6:add:ress]"
scheme https
ssl_verify false

the above snippet is in our match config block in fluentd

Expected Behavior or What you need to ask

I would expect the plugin to open an ipv6 SSL connection to the opensearch host. Instead we get error like this

Could not communicate to OpenSearch, resetting connection and trying again. SSL_connect returned=1 errno=0 peeraddr=[REDACTED]:9200 state=error: sslv3 alert illegal parameter (OpenSSL::SSL::SSLError)

Using Fluentd and OpenSearch plugin versions

• Debian 12
• Docker
• Fluentd v1.0 or later
  • fluentd 1.16.2

abbrev (default: 0.1.0)
async (1.31.0)
async-http (0.60.2)
async-io (1.36.0)
async-pool (0.4.0)
aws-eventstream (1.2.0)
aws-partitions (1.825.0)
aws-sdk-core (3.182.0)
aws-sigv4 (1.6.0)
base64 (default: 0.1.1)
benchmark (default: 0.2.0)
bigdecimal (default: 3.1.1, 1.4.4)
bundler (2.4.19)
cgi (default: 0.3.6)
concurrent-ruby (1.2.2)
console (1.23.2)
cool.io (1.8.0)
csv (default: 3.2.5)
date (default: 3.2.2)
delegate (default: 0.2.0)
did_you_mean (default: 1.6.1)
digest (default: 3.1.0)
drb (default: 2.1.0)
english (default: 0.7.1)
erb (default: 2.2.3)
error_highlight (default: 0.3.0)
etc (default: 1.3.0)
excon (0.103.0)
faraday (2.7.11)
faraday-excon (2.1.0)
faraday-net_http (3.0.2)
faraday_middleware-aws-sigv4 (1.0.1)
fcntl (default: 1.0.1)
fiber-annotation (0.2.0)
fiber-local (1.0.0)
fiddle (default: 1.1.0)
fileutils (default: 1.6.0)
find (default: 0.1.1)
fluent-config-regexp-type (1.0.0)
fluent-plugin-opensearch (1.1.4)
fluent-plugin-rewrite-tag-filter (2.4.0)
fluentd (1.16.2)
forwardable (default: 1.3.2)
getoptlong (default: 0.1.1)
http_parser.rb (0.8.0)
io-console (default: 0.5.11)
io-nonblock (default: 0.1.0)
io-wait (default: 0.2.1)
ipaddr (default: 1.2.4)
irb (default: 1.4.1)
jmespath (1.6.2)
json (2.6.3, default: 2.6.1)
logger (default: 1.5.0)
msgpack (1.7.2)
multi_json (1.15.0)
mutex_m (default: 0.1.1)
net-http (default: 0.3.0)
net-protocol (default: 0.1.2)
nio4r (2.5.9)
nkf (default: 0.1.1)
observer (default: 0.1.1)
oj (3.16.1)
open-uri (default: 0.2.0)
open3 (default: 0.1.1)
opensearch-ruby (3.0.1)
openssl (default: 3.0.1)
optparse (default: 0.2.0)
ostruct (default: 0.5.2)
pathname (default: 0.2.0)
pp (default: 0.3.0)
prettyprint (default: 0.1.1)
protocol-hpack (1.4.2)
protocol-http (0.24.7)
protocol-http1 (0.15.1)
protocol-http2 (0.15.1)
pstore (default: 0.1.1)
psych (default: 4.0.4)
racc (default: 1.6.0)
readline (default: 0.0.3)
readline-ext (default: 0.1.4)
reline (default: 0.3.1)
resolv (default: 0.2.1)
resolv-replace (default: 0.1.0)
rexml (3.2.6)
rinda (default: 0.1.1)
ruby2_keywords (default: 0.0.5)
securerandom (default: 0.2.0)
serverengine (2.3.2)
set (default: 1.0.2)
shellwords (default: 0.1.0)
sigdump (0.2.5)
singleton (default: 0.1.1)
stringio (default: 3.0.1)
strptime (0.2.5)
strscan (default: 3.0.1)
syslog (default: 0.1.0)
tempfile (default: 0.1.2)
time (default: 0.2.2)
timeout (default: 0.2.0)
timers (4.3.5)
tmpdir (default: 0.1.2)
traces (0.11.1)
tsort (default: 0.1.0)
tzinfo (2.0.6)
tzinfo-data (1.2023.3)
un (default: 0.2.0)
uri (0.12.2, default: 0.12.1)
weakref (default: 0.1.1)
webrick (1.7.0)
yajl-ruby (1.4.3)
yaml (default: 0.2.0)
zlib (default: 2.1.1)

we currently run into an issue when we want the opensearch-fluentd plugin to connect via ipv6 to our opensearch. According to the docs here it should be configured as host "[ip:v6:add:ress]" When doing so the fluent logs state that an SSL connection

Could not communicate to OpenSearch, resetting connection and trying again. SSL_connect returned=1 errno=0 peeraddr=[REDACTED]:9200 state=error: sslv3 alert illegal parameter (OpenSSL::SSL::SSLError)
Remaining retry: 10. Retry to communicate after 32 second(s).

which is weird as at least on ipv4 the SSL to the same host is no problem. Is there any special SSL handling when connecting via IPv6 to a opensearch host?

Furthermore I wonder if it should be possible to use a hostname instead of a IPv6 address? We have a hostname which resolves to 3 AAAA recs of our opensearch hosts (only AAAA recs no A recs), but when using that hostname fluentd throws errors that I cannot resolve/connect as the hostname is invalid.