0

We have a HTTP client which sends and receives message from 3rd party web services. One of our 3rd party web services produced handshake alert: unrecognized_name error. To fix this issue, we set SNI to false. For example:

System.setProperty("jsse.enableSNIExtension", "false");

Everything is working fine.

Recently, a brand new 3rd party service has returned 503 error. we have investigated the issue and set SNI to true. For example: 

System.setProperty("jsse.enableSNIExtension", "true");

Now, that particular 3rd party service returns successful response.

We were thinking that if SNI is false then it is good to go but not in this case. We were confused. Why in this particular case, we have to set SNI to true?

MFH
  • 357
  • 3
  • 17
  • 1
    It seems likely that the new service **requires** SNI. Many new services are likely to require this. However the other service can't handle SNI extension. More information can be found in [this post](https://stackoverflow.com/questions/7615645/ssl-handshake-alert-unrecognized-name-error-since-upgrade-to-java-1-7-0). – stdunbar Aug 14 '17 at 20:13
  • Yes, setting SNI to `true` to handles the new type of certificate that mapped to multiple domain and it required the client code to send the server/domain name which the cert mapped to, to be verified. Setting SNI to false mean you are relax about validating the cert binding domain name. – Minh Kieu Aug 14 '17 at 21:41
  • Found some info related to SNI certificate : `Until now acquiring an SSL security certificate in a shared hosting required the contracting of a dedicated IP to assign to the subscription and thus be able to activate it in the domain to be protected. An extra payout that for some users may represent an economic difficulty for your project. For these cases we propose an interesting alternative: SSL Certificates with SNI extension (Secure client-server identification).` – Minh Kieu Aug 14 '17 at 21:42
  • 1
    `The advantage of this type of installation of an SSL certificate is that it does not require a dedicated IP to be installed on a domain or subdomain, reducing the cost of protecting a website and avoiding propagation times Domain with the new IP (temporary fall of the web and mail service). The protection will be identical to that provided by the certificate installed with a dedicated IP.` – Minh Kieu Aug 14 '17 at 21:43

0 Answers0