Is there a way to debug or tell if southbound SNI is working from the message processors?

david_ryan
Participant V

We are recieving errors when hitting a proxy with an AWS target endpoint of "somehost.execute-api.us-east-1.amazonaws.com". We are receiving a 503 error with the message "ASYNC_EXCEPTION: Received fatal alert: handshake_failure". From everything I read in the community this seems to be an SNI issue.

Env details

Open JDK 1.7

OPDK - Edge 4.16.01.04

Enabled SNI on the MP's setting the following configuration in the /opt/apigee/customer/application/message-processor.properties

conf_system_jsse.enableSNIExtension=true

We've also added the following to our HTTPTargetConnection

       <SSLInfo>
            <Enabled>true</Enabled>
            <ClientAuthEnabled>false</ClientAuthEnabled>
            <Protocols>
                <!-- <Protocol>TLSv1</Protocol> -->
                <Protocol>TLSv1.2</Protocol>
            </Protocols>
        </SSLInfo>

We have tried every combination of configuration and advice in the community with no success. Is there something we're missing? Is there a way to trace or debug to see if the SNI settings are working?

Solved Solved
0 5 680
1 ACCEPTED SOLUTION

SNI works for versions 4.16.09.03 and higher 4.16 versions. In couple of weeks you will see a patch for 4.17.xx release that will resolve SNI issue on 4.17 versions as well.

View solution in original post

5 REPLIES 5

Not applicable

David Ryan The steps you ran to enable SNI are correct.

One easy way to check if the SNI extension is present or not by taking a tcpdump on your MP and you should see the server_name extension in the client_hello as show in the picture.

sni.png

Would you happen to have a detailed example? I tried this but had no luck looking for the dst IP address of the api-gateway endpoint.

Let me know if you have a tcpdump I can look at? you can attach here or send me an email. I can look at that. @David Ryan

david_ryan
Participant V

Just circling back for other folks. Turns out there was a issue identified (APIRT-3832) and fixed in 4.16.09.03 related to SNI:

http://docs.apigee.com/release-notes/content/4160903-edge-private-cloud-release-notes

However we are also testing this in our sandbox environment which is 4.17.01.01 and have the same issue, so not fixed in this version. Either the bug was reintroduced or not included in this release which is a bit more concerning from a larger patching process.

SNI works for versions 4.16.09.03 and higher 4.16 versions. In couple of weeks you will see a patch for 4.17.xx release that will resolve SNI issue on 4.17 versions as well.