Yes to enable SSL we need to configure mutual SSL. May be we need to
discuss how to automate this process in a production environment:
I could think of following options at the moment:
Option 1: Pre-configure certificates in load balancer and app server
cartridges.
Option 2: Update puppet modules to do it on the fly.
On Sat, Jul 5, 2014 at 4:19 AM, Akila Ravihansa Perera <raviha...@wso2.com>
wrote:
> Hi,
>
> I faced an issue when trying to access a PHP cartridge instance in
> HTTPS protocol via Stratos LB. In the web browser I get "Resource not
> found" message. But it works when I directly access the instance using
> member public IP. When I check the LB error log I see the following
> exception;
>
> ERROR {org.apache.synapse.transport.passthru.TargetHandler} - I/O
> error: handshake alert: unrecognized_name
> javax.net.ssl.SSLProtocolException: handshake alert: unrecognized_name
>
> Then I tried forcing Apache Server to use SSLv3 instead of TLS, after
> that I got the following error;
>
> ERROR {org.apache.synapse.transport.passthru.TargetHandler} - I/O
> error: handshake alert: handshake_failure
> javax.net.ssl.SSLProtocolException: handshake alert: handshake_failure
>
> After some Googling I found out the root cause. This issue is caused
> by the following enhancement in JDK 7: "The JDK 7 release supports
> the Server Name Indication (SNI) extension in the JSSE client. SNI,
> described in RFC 4366 enables TLS clients to connect to virtual
> servers."
>
> As a workaround I had to disable SNI extension by adding the following
> JVM parameter to LB;
> "-Djsse.enableSNIExtension=false"
>
> After doing that, I still got the following error;
>
> ERROR {org.apache.synapse.transport.passthru.TargetHandler} - I/O
> error: General SSLEngine problem
> javax.net.ssl.SSLHandshakeException: General SSLEngine problem
>
> After some more Googling I found this blog [1] which explains how to
> import self-signed certificates into WSO2 client trust store.
>
> I got it to working state after those configurations, but the problem
> is I need to restart the LB after importing the certificate to trust
> store. Is there a better/recommended way to access cartridges in HTTPS
> protocol that use self-signed certificates?
>
> I presume this will not happen when proper SSL certificates (issued by
> a CA) are being used.
>
> [1]
> http://evanthika.blogspot.com/2014/04/setting-up-simple-wso2-as-cluster-when.html
>
> Thanks.
>
>
> --
> Akila Ravihansa Perera
> Software Engineer
> WSO2 Inc.
> http://wso2.com
>
> Phone: +94 77 64 154 38
> Blog: http://ravihansa3000.blogspot.com
>
--
Imesh Gunaratne
Technical Lead, WSO2
Committer & PPMC Member, Apache Stratos
