Mark, Jon,
On 5/26/23 04:39, Mark Thomas wrote:
On 25/05/2023 20:46, jonmcalexan...@wellsfargo.com.INVALID wrote:
So, to start I'm not a developer. With that said, have a development
team that is getting the exception below in their Tomcat 9.0.74
implementation using Java 11 (also with Java 8). After much
troubleshooting with their configuration, it turned out to be this in
the JAVA_OPTIONS:
-Djsse.enableSNIExtention=false
Once I removed that, the exception and 500 error went away and things
work properly.
Is there an issue using this Java Option?
The exception is happening on an outgoing connection so this isn't
really a Tomcat issue.
Some quick research indicated that this setting can be used as a
work-around for JSSE throwning an exception for some TLS warnings.
Disabling SNI seems like a bad idea to me. I'd expect most sites to be
using it.
+1
BTW you misspelled the system property above, Jon. It's
jsse.enableSNIExtension (t -> s).
If removing the option fixes the issues then I'd go with removing the
option.
Finally, I'd try tracking down why the option was added in the first
place and see if that reasoning still applies.
+1
These days, SNI is basically /the/ way to identify the target hostname
to a server. All modern software should support it and do it properly.
-chris
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org