298 views

Description

Outbound REST Message fails with "Socket Error" when the endpoint requires SNI support

Here's how you can use openssl to validate if the endpoint requires SNI support:

Run the folllowing command:
openssl s_client -state -debug -connect api.provider.com:443

If api.provider.com utilizes and requires SNI, you’ll see output similar to this (note the error: SSL3 alert read:fatal:handshake failure):

SSL_connect:SSLv2/v3 write client hello A
read from 0x7fc699703c80 [0x7fc69b806600] (7 bytes => 7 (0x7))
0000 - 15 03 01 00 02 02 28B B B B B B B B B B B B B B B B B B B B B B B B B B B B B ……(
SSL3 alert read:fatal:handshake failure
SSL_connect:error in SSLv2/v3 read server hello A

Release or Environment

SNI support is available in ServiceNow from the Jakarta version onwards.

Cause

The end point requires SNI support from the client and on the instance the support for SNI is disabled.

That is glide.outbound.tls_sni.enabled is set to false

Resolution

To enable SNI on the instance create a system property named glide.outbound.tls_sni.enabled and set the value to true.

Additional Information

See the below article for a good explanation on SNI and when to enable it on the instance:

Endabling SNI - Service Name Indication on the ServiceNow instance

Article Information

Last Updated:2020-03-03 11:15:44
Published:2020-03-03