Routing via HTTPS fails due to an unrecognized name
search cancel

Routing via HTTPS fails due to an unrecognized name


Article ID: 42865


Updated On:


STARTER PACK-7 CA Rapid App Security CA API Gateway


A request being routed to node that does not have SNI extension support may fail with the following error log or audit log:

Problem routing to? Error msg: Unable to obtain HTTP response from Warning Alert received: Unrecognized Name

This failure does not originate from the Gateway and is actually the error response returned by the server application when the Gateway attempts to connect.

The gateway does support SNI to the backend with the introduction of Java 7 . 



Component: APIGTW


Oracle added Server Name Indication (SNI) extension support to Java 7. The Gateway moved to Java 7 in version 7.1.0. The Gateway also uses several Java-based SSL/TLS providers. All of these dependencies cooperate to provide support for SNI for SSL/TLS-encrypted connections and handshakes.

SNI allows a client application to specify a host it desires to connect to for a particular TCP connection. It is useful for virtual hosting of multiple web servers or services on one server or port of a server. This allows one or more applications to be available on the same server, interface, or port while allowing the client to specify what host it wants to connect to. If a server application does not support this extension then a particular error message will be returned during the SSL handshake and the attempt to connect (and the subsequent routing attempt) will fail. This issue can be avoided by disabling SNI support within a particular node in the cluster.


This issue can be worked around by disabling the SNI extension within the Gateway's implementation of Java. To disable SNI, perform the following:

  1. Log into the Gateway appliance as the ssgconfig user
  2. Select Option #3: Use a privileged shell
  3. Open /opt/SecureSpan/Gateway/node/default/etc/conf/ in a text editor
  4. Append the following line to the file: jsse.enableSNIExtension=false
  5. Append the following line to the file:
  6. Save the file and exit
  7. Restart the Gateway appliance

The procedure above will need to be executed on each node in the impacted cluster as system properties are not replicated over the cluster and are made on a node-by-node basis.

If you need to have persistent support for SNI even with the error printed--or if the steps above do not resolve the issue then please contact Layer 7 Support at CA Technologies