Recent SSL upgrade also introduced SNI which breaks REST API

730 views Asked by At

We use ServiceNow to communicate with PushBullet via REST API. Recently we started getting the following error

javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake

And a 500 HTTP error.

After much research it appears SNI has been added as part of an SSL certificate upgrade https://en.wikipedia.org/wiki/Server_Name_Indication

ServiceNow state they do not support SNI in any version.

The tests that you see are from SoapUI and Postman.

The way we test for this is by using the following command:

openssl s_client -connect api.pushbullet.com:443 
(this fails)

Adding the -servername parameter is used to pick the correct domain from the certificate that now contains multiple domains:

openssl s_client -connect api.pushbullet.com:443 -servername api.pushbullet.com

CONNECTED(00000003)
depth=1 /C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA - G2
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
0 s:/CN=*.pushbullet.com
i:/C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA - G2
1 s:/C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA - G2
i:/C=US/O=GeoTrust Inc./OU=(c) 2008 GeoTrust Inc. - For authorized use only/CN=GeoTrust Primary Certification Authority - G3
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIGbDCCBVSgAwIBAgIQTyKV1VxdJTcntEU7ErB0mjANBgkqhkiG9w0BAQsFADBH
<snip>

Is there any way of now accessing PushBullet APIs without SNI?

Gavin.

1

There are 1 answers

0
BJ Zimpleman On BEST ANSWER

SNI support has been added as of the Jakarta release:

https://docs.servicenow.com/bundle/jakarta-servicenow-platform/page/integrate/outbound-web-services/concept/outbound-sni-support.html

By default, SNI support is disabled in Jakarta. If it has been enabled on your ServiceNow instance, you would have the glide.outbound.tls_sni.enabled property set to true. Change it to false and your API calls should stop using SNI.