cancel
Showing results forย 
Search instead forย 
Did you mean:ย 

Snaplex nodes running with customer signed SSL certificate - default SnapLogic SSL certificate selected and returned by server during SSL handshake

PSAmmirata
Employee
Employee

We have configured our Snaplex nodes to run with a customer signed SSL certificate. We use the FQDN in the certificate. The default SnapLogic SSL certificate is not in the JCCโ€™s keystore (jcc.serverkeys.jks). However, when we test the server (Snaplex node) is returning the default SnapLogic SSL certificate to the client during the SSL handshake instead of returning the customer signed SSL certificate. We did some additional investigation and it appears that if the client has the Server Name Indicator (SNI) TLS extension enabled the server selects and returns the default SnapLogic SSL certificate. However, if the SNI TLS extension is disabled the server selects and returns the customer signed SSL certificate thatโ€™s in the JCCโ€™s keystore. We tested the following:

โ€œopenssl s_client -connect node.example.com:8081โ€ does not use the SNI TLS extension (i.e. server name is not in the client hello message) and the server selects and returns the company signed SSL certificate chain.

โ€œopenssl s_client -connect node.example.com:8081 -servername node.example.comโ€ uses the SNI TLS extension (i.e. server name is in the client hello message) and the server selects and returns the default SnapLogic certificate.

โ€œ./java -Djavax.net.debug=ssl SSLPoke node.example.com 8081โ€ uses the SNI TLS extension (i.e. server name is in the client hello message) and the server selects and returns the default SnapLogic certificate.

โ€œ./java -Djavax.net.debug=ssl -Djsse.enableSNIExtension=false SSLPoke node.example.com 8081โ€ does not use the SNI TLS extension (i.e. server name is not in the client hello message) and the server selects and returns the company signed SSL certificate chain.

We also tested via browser and curl - they use the SNI TLS extension by default (i.e. server name is in the client hello message) and the server selects and returns the default SnapLogic certificate. I didnโ€™t find a way to disable the extention when using a browser or curl (weโ€™re using version 7.27.0 of curl)

Has anyone else encounter this behavior and been able to resolve it?

11 REPLIES 11

christwr
Contributor III

Hi Paul - Did you ever find a solution for this? Iโ€™ve been looking into switching out the default self-signed certificates on our groundplex nodes with our own CA-signed certificate, so was curious about this topic.

Hi Chris - The short answer is โ€œnoโ€. I have an open ticket with SnapLogic and our TAM told me that there is a SnapLogic bug, but I donโ€™t know anymore than that at this time. Iโ€™ll update this post when I find out more.

Did you all find a fix for this issue?

christwr
Contributor III

Hi Paul - Did you ever get this resolved? If so, any good lessons learned?