SSL Handshake Failing from MP

Not applicable

Hi

We have built apigee platform on AWS private cloud. https request are giving SSL handshake issue.

Even we are not able to hit https://httpbin.org/get, but if you do curl from MP node we are getting response.

My http target connection is :

<HTTPTargetConnection> <Properties/> <SSLInfo> <Enabled>true</Enabled> <!--<Protocols><Protocol>TLSv1.0</Protocol></Protocols>--> </SSLInfo> <URL>https://httpbin.org/get</URL> </HTTPTargetConnection>

Error is :

2018-07-10 17:52:19,303 org:edb env:dev api:ip rev:1 messageid:ip-172-30-0-179.apigee.internal-1981-473-1 NIOThread@0 ERROR HTTP.CLIENT - HTTPClient$Context.handshakeFailed() : SSLInfo: KeyStore:nullKeyAlias:nullTrustStore:null 2018-07-10 17:52:19,310 org:edb env:dev api:ip rev:1 messageid:ip-172-30-0-179.apigee.internal-1981-473-1 NIOThread@0 ERROR ADAPTORS.HTTP.FLOW - RequestWriteListener.onException() : RequestWriteListener.onException(HTTPRequest@5350f18f) javax.net.ssl.SSLException: Received

0 4 605
4 REPLIES 4

ateebshaik
Participant III

@Anil Sagar Could you help us on the above issue ?

Have you tried adding a TrustStore?

Whether you are using an HTTPTargetConnection (from TargetEndpoint or ServiceCallout) or a JS callout with httpClient, you should define a Truststore, and populate it with the appropriate certs.

you can get the Mozilla root certs here: https://mkcert.org

Just put that into a TrustStore and specify something like this:

<SSLInfo>
  <Enabled>true</Enabled> 
  <TrustStore>ref://myTrustStore</TrustStore>
</SSLInfo> 

@Dino thanks for your response. We are not talking about Truststore, It is one way SSL, its not necessary to create Truststore.

Is there any chance MP verify CN of certificate is same as domain name?. We have seen trend that, the API's which are having certificate with CN is same as domain name (or wild card name) the request is going through other's are failing.

By default conf_system_jsse.enableSNIExtension is set to false will this is causing issue?

Please through some light on this.

1-way TLS outbound requires a TrustStore. This is the way Apigee Edge verifies the certificate of the peer (the external remote service, in your case httpbin.org).

You should enable SNI.

conf_system_jsse.enableSNIExtension = true