Routing via HTTPS fails due to an unrecognized name
search cancel

Routing via HTTPS fails due to an unrecognized name

book

Article ID: 42865

calendar_today

Updated On:

Products

STARTER PACK-7 CA Rapid App Security CA API Gateway

Issue/Introduction

A request being routed to node that does not have SNI extension support may fail with the following error log or audit log:

Problem routing to?https://server.domain.com:443/service. Error msg: Unable to obtain HTTP response from https://server.domain.com:443/service: Warning Alert received: Unrecognized Name

This failure does not originate from the Gateway and is actually the error response returned by the server application when the Gateway attempts to connect.

The gateway does support SNI to the backend with the introduction of Java 7 . 

 

Environment

Release:
Component: APIGTW

Cause

Oracle added Server Name Indication (SNI) extension support to Java 7. The Gateway moved to Java 7 in version 7.1.0. The Gateway also uses several Java-based SSL/TLS providers. All of these dependencies cooperate to provide support for SNI for SSL/TLS-encrypted connections and handshakes.

SNI allows a client application to specify a host it desires to connect to for a particular TCP connection. It is useful for virtual hosting of multiple web servers or services on one server or port of a server. This allows one or more applications to be available on the same server, interface, or port while allowing the client to specify what host it wants to connect to. If a server application does not support this extension then a particular error message will be returned during the SSL handshake and the attempt to connect (and the subsequent routing attempt) will fail. This issue can be avoided by disabling SNI support within a particular node in the cluster.

Resolution

This issue can be worked around by disabling the SNI extension within the Gateway's implementation of Java. To disable SNI, perform the following:

  1. Log into the Gateway appliance as the ssgconfig user
  2. Select Option #3: Use a privileged shell
  3. Open /opt/SecureSpan/Gateway/node/default/etc/conf/system.properties in a text editor
  4. Append the following line to the file: jsse.enableSNIExtension=false
  5. Append the following line to the file: com.l7tech.security.tlsProvider=SunJSSE
  6. Save the file and exit
  7. Restart the Gateway appliance

The procedure above will need to be executed on each node in the impacted cluster as system properties are not replicated over the cluster and are made on a node-by-node basis.

If you need to have persistent support for SNI even with the error printed--or if the steps above do not resolve the issue then please contact Layer 7 Support at CA Technologies

Powered by Wolken Software