javax.net.ssl.SSLHandshakeException: Received fatal alert: unrecognized_name

Document created by yvonne_f159640 on Apr 5, 2018Last modified by frank_wetzler970218 on Jun 13, 2018
Version 2Show Document
  • View in full screen mode

Issue

Using HTTP Client Connector, the server the customer connecting to has recently changed its configuration to "strict SNI",  and then all processes in Boomi were failing when trying to connect. The error received from the connector is 

javax.net.ssl.SSLHandshakeException: Received fatal alert: unrecognized_name

OR

javax.net.ssl.SSLException: Received fatal alert: internal_error 

 

Cause

A service provider that is responsible for multiple hostnames is likely to need to present a different certificate for each name (or small group of names). 

The server the customer connecting to has recently changed its configuration to "strict SNI." 

 

SNI extension enablement allows the client to send the name of the virtual domain as part of the TLS negotiation. This enables the server to select the correct virtual domain early and present the client with the certificate containing the correct name. Therefore, with clients and servers that implement SNI, a server with a single IP address can serve a group of domain names for which it is impractical to get a common certificate.

 

The issue is due to the endpoint which requires SNI (Server Name Indication) support from any HTTP clients connecting to it, but the JVM being used by the atom/molecule/cloud doesn't support SNI.

 

SNI is currently disabled in the Boomi Atom Cloud and Boomi Test Atom Cloud because it might have a negative impact on other customers using the Clouds. 

 

Solution

 

If the customer is using a local atom/molecule/cloud, add the below setting to the atom.vmoptions file. 

==== 
-Djsse.enableSNIExtension=true
=== 

If the customer is using Boomi cloud and not willing to switch to local atom, another "workaround" would be to setup up a new load-balancer specifically to handle incoming URL requests from Boomi cloud that points to a server (on the endpoint) where SNI is not enabled. 

 

Reference -> Server Name Indication - Wikipedia 

1 person found this helpful

Attachments

    Outcomes