0

I posted this issue and i could solve it deleting from the WebLogic startups parameter the next:

-Djsse.enableSNIExtension=false

Can someone explain this?

HAAO
  • 61
  • 11
  • I just read the the "duplicated" answers, and I agree about them. Java SE 7 adds Elliptic Curve Cryptography (ECC) Extensions and Server Name Indication (SNI) Extensions. and can be disable with: -Dcom.sun.net.ssl.enableECC=false and -Djsse.enableSNIExtension=false – devwebcl Aug 29 '18 at 17:36
  • Yeah, but i'm building and running with Java 8. – HAAO Aug 29 '18 at 17:48

1 Answers1

0

The parameter -Djsse.enableSNIExtension=false disables SNI.

Let's say you go to endpoint endpointaaa.com/aaa. Behind this endpoint endpointaaa.com there could be multiple application servers, all with their own certificate. So /aaa could point to server A and /bbb sould point to server B. SNI let's you send the endpoint you are trying to reach in it's initial contact (SSL handshake I think?). This will let the receiving end know, to which application server you are trying to connect, so it can response with the right certificate.

If SNI isn't enabled, it's possible that a different application server responds with a different certificate.

Wesley De Keirsmaeker
  • 1,026
  • 9
  • 29
  • This have sense, since in fact, the API's provider works with multiple servers. However, it is correct the exception?, i mean, it should fail in the handshake phase. – HAAO Aug 31 '18 at 20:26
  • it seems that there's many servers at the backend, but the endpoint is only one and those servers hadle wildcard certificates. – HAAO Sep 06 '18 at 14:38