Support Article
SNI validation issues - SSLProtocolException
Summary
The following exception occurs when consuming a Pega 7.1.8 service from a java client running Java 7.
Error Messages
Caused by: javax.net.ssl.SSLProtocolException: handshake alert: unrecognized_name
at sun.security.ssl.ClientHandshaker.handshakeAlert(ClientHandshaker.java:1292)
at sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:1954)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1077)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1312)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1339)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1323)
at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:515)
at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1299)
at java.net.HttpURLConnection.getResponseCode(HttpURLConnection.java:468)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.getResponseCode(HttpsURLConnectionImpl.java:338)
at org.apache.cxf.transport.http.URLConnectionHTTPConduit$URLConnectionWrappedOutputStream.getResponseCode(URLConnectionHTTPConduit.java:266)
at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponseInternal(HTTPConduit.java:1543)
at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponse(HTTPConduit.java:1513)
at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(HTTPConduit.java:1318)
... 35 more
Steps to Reproduce
Consume a Pega 7.1.8 Soap Service from a Java client application when using SSL and Java SE 7.
Root Cause
A third-party product issue:
The problem is external to Pega 7.1.8 and is due to configuration issues that can be resolved outside of the product.
The root cause is implementation of the Server Name Indication (SNI) for JSSE client. The Java SE 7 release supports the Server Name Indication (SNI) extension in the JSSE client. SNI is described in Network Working Group RFC 4366. This enables TLS clients to connect to virtual servers.
Resolution
1.
See this StackOverflow article SSL handshake alert: unrecognized_name error since upgrade to Java 1.7.0 - document 7615645 - for other details regarding local changes that are also available.
The problem can be resolved by coding the httpd.conf and httpd-ssl.conffor the apache web server front end for the application server running Pega 7.1.8 to appropriately identify itself to incoming requests. There may be corresponding configurations required for different environments
To further diagnose SSL handshake issues use the following command line argument for the JVM
-Djavax.net.debug=ssl:handshake
2.
Make the following change to the operating environment:
In httpd-ssl.conf add an entry similar to the following
ServerName your_company.pegacloud.com:443
In httpd.conf add a line similar to the following:
ServerName your_company.pegacloud.com:80
Published November 19, 2015 - Updated October 8, 2020
Have a question? Get answers now.
Visit the Collaboration Center to ask questions, engage in discussions, share ideas, and help others.