Skip to main content

This content has been archived and is no longer being updated. Links may not function; however, this content may be relevant to outdated versions of the product.

Support Article

SNI validation issues - SSLProtocolException

SA-13442

Summary



The following exception occurs when consuming a Pega 7.1.8 service from a java client running Java 7.

Error Messages

Caused by: javax.net.ssl.SSLProtocolException: handshake alert: unrecognized_name
at sun.security.ssl.ClientHandshaker.handshakeAlert(ClientHandshaker.java:1292)
at sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:1954)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1077)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1312)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1339)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1323)
at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:515)
at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1299)
at java.net.HttpURLConnection.getResponseCode(HttpURLConnection.java:468)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.getResponseCode(HttpsURLConnectionImpl.java:338)
at org.apache.cxf.transport.http.URLConnectionHTTPConduit$URLConnectionWrappedOutputStream.getResponseCode(URLConnectionHTTPConduit.java:266)
at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponseInternal(HTTPConduit.java:1543)
at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponse(HTTPConduit.java:1513)
at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(HTTPConduit.java:1318)
... 35 more


Steps to Reproduce



Consume a Pega 7.1.8 Soap Service from a Java client application when using SSL and Java SE 7.


Root Cause



A third-party product issue:

The problem is external to Pega 7.1.8 and is due to configuration issues that can be resolved outside of the product.

The root cause is implementation of the Server Name Indication (SNI) for JSSE client. The Java SE 7 release supports the Server Name Indication (SNI) extension in the JSSE client. SNI is described in Network Working Group RFC 4366. This enables TLS clients to connect to virtual servers.
 

Resolution



1.

See this StackOverflow article SSL handshake alert: unrecognized_name error since upgrade to Java 1.7.0 - document 7615645 - for other details regarding local changes that are also available.

The problem can be resolved by coding the httpd.conf and httpd-ssl.conffor the apache web server front end for the application server running Pega 7.1.8 to appropriately identify itself to incoming requests. There may be corresponding configurations required for different environments

To further diagnose SSL handshake issues use the following command line argument for the JVM
-Djavax.net.debug=ssl:handshake

2.

Make the following change to the operating environment: 

In httpd-ssl.conf add an entry similar to the following
ServerName your_company.pegacloud.com:443

In httpd.conf add a line similar to the following:
ServerName your_company.pegacloud.com:80
 

Tags:

Pega Platform Pega Platform 7.1.7 Data Integration

Published November 19, 2015 - Updated October 8, 2020

Was this useful?

0% found this useful

Have a question? Get answers now.

Visit the Collaboration Center to ask questions, engage in discussions, share ideas, and help others.

Visit the Collaboration Center

Did you find this content helpful?

Yes
No

Want to help us improve this content?
Suggest an edit

We'd prefer it if you saw us at our best.

Pega Community has detected you are using a browser which may prevent you from experiencing the site as intended. To improve your experience, please update your browser.

Close Deprecation Notice
Contact us