Yes to enable SSL we need to configure mutual SSL. May be we need to discuss how to automate this process in a production environment:
I could think of following options at the moment: Option 1: Pre-configure certificates in load balancer and app server cartridges. Option 2: Update puppet modules to do it on the fly. On Sat, Jul 5, 2014 at 4:19 AM, Akila Ravihansa Perera <raviha...@wso2.com> wrote: > Hi, > > I faced an issue when trying to access a PHP cartridge instance in > HTTPS protocol via Stratos LB. In the web browser I get "Resource not > found" message. But it works when I directly access the instance using > member public IP. When I check the LB error log I see the following > exception; > > ERROR {org.apache.synapse.transport.passthru.TargetHandler} - I/O > error: handshake alert: unrecognized_name > javax.net.ssl.SSLProtocolException: handshake alert: unrecognized_name > > Then I tried forcing Apache Server to use SSLv3 instead of TLS, after > that I got the following error; > > ERROR {org.apache.synapse.transport.passthru.TargetHandler} - I/O > error: handshake alert: handshake_failure > javax.net.ssl.SSLProtocolException: handshake alert: handshake_failure > > After some Googling I found out the root cause. This issue is caused > by the following enhancement in JDK 7: "The JDK 7 release supports > the Server Name Indication (SNI) extension in the JSSE client. SNI, > described in RFC 4366 enables TLS clients to connect to virtual > servers." > > As a workaround I had to disable SNI extension by adding the following > JVM parameter to LB; > "-Djsse.enableSNIExtension=false" > > After doing that, I still got the following error; > > ERROR {org.apache.synapse.transport.passthru.TargetHandler} - I/O > error: General SSLEngine problem > javax.net.ssl.SSLHandshakeException: General SSLEngine problem > > After some more Googling I found this blog [1] which explains how to > import self-signed certificates into WSO2 client trust store. > > I got it to working state after those configurations, but the problem > is I need to restart the LB after importing the certificate to trust > store. Is there a better/recommended way to access cartridges in HTTPS > protocol that use self-signed certificates? > > I presume this will not happen when proper SSL certificates (issued by > a CA) are being used. > > [1] > http://evanthika.blogspot.com/2014/04/setting-up-simple-wso2-as-cluster-when.html > > Thanks. > > > -- > Akila Ravihansa Perera > Software Engineer > WSO2 Inc. > http://wso2.com > > Phone: +94 77 64 154 38 > Blog: http://ravihansa3000.blogspot.com > -- Imesh Gunaratne Technical Lead, WSO2 Committer & PPMC Member, Apache Stratos