Is there a way to debug or tell if southbound SNI is working from the message processors?

anonymous · April 25, 2017, 2:50pm

We are recieving errors when hitting a proxy with an AWS target endpoint of “somehost.execute-api.us-east-1.amazonaws.com”. We are receiving a 503 error with the message “ASYNC_EXCEPTION: Received fatal alert: handshake_failure”. From everything I read in the community this seems to be an SNI issue.

Env details

Open JDK 1.7

OPDK - Edge 4.16.01.04

Enabled SNI on the MP’s setting the following configuration in the /opt/apigee/customer/application/message-processor.properties

conf_system_jsse.enableSNIExtension=true

We’ve also added the following to our HTTPTargetConnection

       <SSLInfo>
            <Enabled>true</Enabled>
            <ClientAuthEnabled>false</ClientAuthEnabled>
            <Protocols>
                <!-- <Protocol>TLSv1</Protocol> -->
                <Protocol>TLSv1.2</Protocol>
            </Protocols>
        </SSLInfo>

We have tried every combination of configuration and advice in the community with no success. Is there something we’re missing? Is there a way to trace or debug to see if the SNI settings are working?

anonymous · April 25, 2017, 5:13pm

David Ryan The steps you ran to enable SNI are correct.

One easy way to check if the SNI extension is present or not by taking a tcpdump on your MP and you should see the server_name extension in the client_hello as show in the picture.

sni.png

anonymous · April 27, 2017, 1:22am

Would you happen to have a detailed example? I tried this but had no luck looking for the dst IP address of the api-gateway endpoint.

anonymous · April 27, 2017, 2:18am

Let me know if you have a tcpdump I can look at? you can attach here or send me an email. I can look at that. @David Ryan

anonymous · May 2, 2017, 1:52pm

Just circling back for other folks. Turns out there was a issue identified (APIRT-3832) and fixed in 4.16.09.03 related to SNI:

http://docs.apigee.com/release-notes/content/4160903-edge-private-cloud-release-notes

However we are also testing this in our sandbox environment which is 4.17.01.01 and have the same issue, so not fixed in this version. Either the bug was reintroduced or not included in this release which is a bit more concerning from a larger patching process.

naseerm · May 4, 2017, 9:15pm

SNI works for versions 4.16.09.03 and higher 4.16 versions. In couple of weeks you will see a patch for 4.17.xx release that will resolve SNI issue on 4.17 versions as well.

Topic		Replies	Views
Enabling SNI and its side effects? Apigee private-cloud-deployment	5	13	April 28, 2017
Apigee Proxy with Amazon Gateway API: 503 Service Unavailable Apigee api-runtime	17	17	March 16, 2016
Cannot proxify an AWS API Gateway endpoint Apigee api-runtime	10	3	June 6, 2017

Is there a way to debug or tell if southbound SNI is working from the message processors?

AI Suggested topics