Hi,

I faced an issue when trying to access a PHP cartridge instance in
HTTPS protocol via Stratos LB. In the web browser I get "Resource not
found" message. But it works when I directly access the instance using
member public IP. When I check the LB error log I see the following
exception;

ERROR {org.apache.synapse.transport.passthru.TargetHandler} -  I/O
error: handshake alert:  unrecognized_name
javax.net.ssl.SSLProtocolException: handshake alert:  unrecognized_name

Then I tried forcing Apache Server to use SSLv3 instead of TLS, after
that I got the following error;

ERROR {org.apache.synapse.transport.passthru.TargetHandler} -  I/O
error: handshake alert:  handshake_failure
javax.net.ssl.SSLProtocolException: handshake alert:  handshake_failure

After some Googling I found out the root cause. This issue is caused
by the following enhancement in JDK 7:  "The JDK 7 release supports
the Server Name Indication (SNI) extension in the JSSE client. SNI,
described in RFC 4366 enables TLS clients to connect to virtual
servers."

As a workaround I had to disable SNI extension by adding the following
JVM parameter to LB;
"-Djsse.enableSNIExtension=false"

After doing that, I still got the following error;

ERROR {org.apache.synapse.transport.passthru.TargetHandler} -  I/O
error: General SSLEngine problem
javax.net.ssl.SSLHandshakeException: General SSLEngine problem

After some more Googling I found this blog [1] which explains how to
import self-signed certificates into WSO2 client trust store.

I got it to working state after those configurations, but the problem
is I need to restart the LB after importing the certificate to trust
store. Is there a better/recommended way to access cartridges in HTTPS
protocol that use self-signed certificates?

I presume this will not happen when proper SSL certificates (issued by
a CA) are being used.

[1] 
http://evanthika.blogspot.com/2014/04/setting-up-simple-wso2-as-cluster-when.html

Thanks.


-- 
Akila Ravihansa Perera
Software Engineer
WSO2 Inc.
http://wso2.com

Phone: +94 77 64 154 38
Blog: http://ravihansa3000.blogspot.com

Reply via email to