PingAccess Site connection fails with javax.net.ssl.SSLProtocolException: handshake alert: unrecognized_name

Published: 06/29/2016

Problem Description:

PingAccess Site connection fails with javax.net.ssl.SSLProtocolException: handshake alert:  unrecognized_name

The full stack trace looks like:
2016-06-29T13:21:09,879 DEBUG [8Z7wKzLEST2VMNEdADlJTA] com.pingidentity.pa.adminui.command.site.ModifySiteBaseCommand - Unable to connect to mysite1.example.com:443
java.io.IOException: javax.net.ssl.SSLException: Handshake failed
    at com.pingidentity.pa.core.transport.http.async.bio.AsyncOutputStream.handleExceptionCaught(AsyncOutputStream.java:330) ~[pingaccess-core-4.0.1.3.jar:4.0.1.3]
    at com.pingidentity.pa.core.transport.http.async.bio.AsyncOutputStream.transitionFromNoChannel(AsyncOutputStream.java:281) ~[pingaccess-core-4.0.1.3.jar:4.0.1.3]
    at com.pingidentity.pa.core.transport.http.async.bio.AsyncOutputStream.handleEvent(AsyncOutputStream.java:253) ~[pingaccess-core-4.0.1.3.jar:4.0.1.3]
    at com.pingidentity.pa.core.transport.http.async.bio.AsyncOutputStream.processNextEvent(AsyncOutputStream.java:223) ~[pingaccess-core-4.0.1.3.jar:4.0.1.3]
    at com.pingidentity.pa.core.transport.http.async.bio.AsyncOutputStream.write(AsyncOutputStream.java:113) ~[pingaccess-core-4.0.1.3.jar:4.0.1.3]
    at com.pingidentity.pa.core.transport.http.async.bio.AsyncOutputStream.write(AsyncOutputStream.java:101) ~[pingaccess-core-4.0.1.3.jar:4.0.1.3]
    at java.io.BufferedOutputStream.flushBuffer(Unknown Source) ~[?:1.8.0_66]
    at java.io.BufferedOutputStream.flush(Unknown Source) ~[?:1.8.0_66]
    at com.pingidentity.pa.api.http.MessageImpl.write(MessageImpl.java:152) ~[pingaccess-api-http-4.0.1.3.jar:4.0.1.3]
    at com.pingidentity.pa.adminui.command.site.ModifySiteBaseCommand.testTargets(ModifySiteBaseCommand.java:327) ~[pingaccess-admin-4.0.1.3.jar:4.0.1.3]
    at com.pingidentity.pa.adminui.command.site.ModifySiteBaseCommand.executeInTransaction(ModifySiteBaseCommand.java:87) ~[pingaccess-admin-4.0.1.3.jar:4.0.1.3]
    at com.pingidentity.pa.adminui.command.site.ModifySiteBaseCommand.executeInTransaction(ModifySiteBaseCommand.java:52) ~[pingaccess-admin-4.0.1.3.jar:4.0.1.3]
    at com.pingidentity.pa.adminui.command.TransactionalJSONProcessingCommandTemplate.executeInTransaction(TransactionalJSONProcessingCommandTemplate.java:52) ~[pingaccess-admin-4.0.1.3.jar:4.0.1.3]
    at com.pingidentity.pa.adminui.command.TransactionalBaseCommand.execute(TransactionalBaseCommand.java:46) ~[pingaccess-admin-4.0.1.3.jar:4.0.1.3]
    at com.pingidentity.pa.rest.interceptors.CommandExecutorInterceptor.executeCommand(CommandExecutorInterceptor.java:115) ~[pingaccess-admin-4.0.1.3.jar:4.0.1.3]
    at com.pingidentity.pa.rest.interceptors.CommandExecutorInterceptor.dispatchRequest(CommandExecutorInterceptor.java:96) ~[pingaccess-admin-4.0.1.3.jar:4.0.1.3]
    at com.pingidentity.pa.rest.interceptors.CommandExecutorInterceptor.handleRequest(CommandExecutorInterceptor.java:61) ~[pingaccess-admin-4.0.1.3.jar:4.0.1.3]
    at com.pingidentity.pa.rest.interceptors.CommandExecutorInterceptor.handleRequest(CommandExecutorInterceptor.java:43) ~[pingaccess-admin-4.0.1.3.jar:4.0.1.3]
    at com.pingidentity.pa.core.interceptor.flow.InterceptorFlowController.invokeRequestHandlers(InterceptorFlowController.java:153) ~[pingaccess-core-4.0.1.3.jar:4.0.1.3]
    at com.pingidentity.pa.core.interceptor.UserFeatureInterceptor.handleRequest(UserFeatureInterceptor.java:25) ~[pingaccess-core-4.0.1.3.jar:4.0.1.3]
    at com.pingidentity.pa.core.interceptor.UserFeatureInterceptor.handleRequest(UserFeatureInterceptor.java:18) ~[pingaccess-core-4.0.1.3.jar:4.0.1.3]
    at com.pingidentity.pa.core.interceptor.flow.InterceptorFlowController.invokeRequestHandlers(InterceptorFlowController.java:153) ~[pingaccess-core-4.0.1.3.jar:4.0.1.3]
    at com.pingidentity.pa.core.interceptor.flow.InterceptorFlowController.invokeHandlers(InterceptorFlowController.java:68) ~[pingaccess-core-4.0.1.3.jar:4.0.1.3]
    at com.pingidentity.pa.core.transport.http.HttpServerHandler.invokeHandlers(HttpServerHandler.java:211) ~[pingaccess-core-4.0.1.3.jar:4.0.1.3]
    at com.pingidentity.pa.core.transport.http.HttpServerHandler.processExchange(HttpServerHandler.java:140) ~[pingaccess-core-4.0.1.3.jar:4.0.1.3]
    at com.pingidentity.pa.core.transport.http.HttpServerHandler.handleRequest(HttpServerHandler.java:87) ~[pingaccess-core-4.0.1.3.jar:4.0.1.3]
    at com.pingidentity.pa.core.transport.http.async.bio.AsyncConnectionHandler.run(AsyncConnectionHandler.java:71) ~[pingaccess-core-4.0.1.3.jar:4.0.1.3]
    at java.util.concurrent.Executors$RunnableAdapter.call(Unknown Source) ~[?:1.8.0_66]
    at java.util.concurrent.FutureTask.run(Unknown Source) ~[?:1.8.0_66]
    at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source) [?:1.8.0_66]
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source) [?:1.8.0_66]
    at java.lang.Thread.run(Unknown Source) [?:1.8.0_66]
Caused by: javax.net.ssl.SSLException: Handshake failed
    at com.pingidentity.pa.core.transport.http.async.bio.BlockingIoHandler.userEventTriggered(BlockingIoHandler.java:378) ~[pingaccess-core-4.0.1.3.jar:4.0.1.3]
    at io.netty.channel.AbstractChannelHandlerContext.invokeUserEventTriggered(AbstractChannelHandlerContext.java:279) ~[netty-transport-4.0.30.Final.jar:4.0.30.Final]
    at io.netty.channel.AbstractChannelHandlerContext.fireUserEventTriggered(AbstractChannelHandlerContext.java:265) ~[netty-transport-4.0.30.Final.jar:4.0.30.Final]
    at io.netty.handler.ssl.SslHandler.notifyHandshakeFailure(SslHandler.java:1268) ~[netty-handler-4.0.30.Final.jar:4.0.30.Final]
    at io.netty.handler.ssl.SslHandler.setHandshakeFailure(SslHandler.java:1262) ~[netty-handler-4.0.30.Final.jar:4.0.30.Final]
    at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1095) ~[netty-handler-4.0.30.Final.jar:4.0.30.Final]
    at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:959) ~[netty-handler-4.0.30.Final.jar:4.0.30.Final]
    at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:327) ~[netty-codec-4.0.30.Final.jar:4.0.30.Final]
    at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:230) ~[netty-codec-4.0.30.Final.jar:4.0.30.Final]
    at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:308) ~[netty-transport-4.0.30.Final.jar:4.0.30.Final]
    at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:294) ~[netty-transport-4.0.30.Final.jar:4.0.30.Final]
    at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:846) ~[netty-transport-4.0.30.Final.jar:4.0.30.Final]
    at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:131) ~[netty-transport-4.0.30.Final.jar:4.0.30.Final]
    at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:511) ~[netty-transport-4.0.30.Final.jar:4.0.30.Final]
    at io.netty.channel.nio.NioEventLoop.processSelectedKeysOptimized(NioEventLoop.java:468) ~[netty-transport-4.0.30.Final.jar:4.0.30.Final]
    at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:382) ~[netty-transport-4.0.30.Final.jar:4.0.30.Final]
    at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:354) ~[netty-transport-4.0.30.Final.jar:4.0.30.Final]
    at io.netty.util.concurrent.SingleThreadEventExecutor$2.run(SingleThreadEventExecutor.java:110) ~[netty-common-4.0.30.Final.jar:4.0.30.Final]
    ... 1 more
Caused by: javax.net.ssl.SSLProtocolException: handshake alert:  unrecognized_name
    at sun.security.ssl.ClientHandshaker.handshakeAlert(Unknown Source) ~[?:1.8.0_66]
    at sun.security.ssl.SSLEngineImpl.recvAlert(Unknown Source) ~[?:1.8.0_66]
    at sun.security.ssl.SSLEngineImpl.readRecord(Unknown Source) ~[?:1.8.0_66]
    at sun.security.ssl.SSLEngineImpl.readNetRecord(Unknown Source) ~[?:1.8.0_66]
    at sun.security.ssl.SSLEngineImpl.unwrap(Unknown Source) ~[?:1.8.0_66]
    at javax.net.ssl.SSLEngine.unwrap(Unknown Source) ~[?:1.8.0_66]
    at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1129) ~[netty-handler-4.0.30.Final.jar:4.0.30.Final]
    at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1019) ~[netty-handler-4.0.30.Final.jar:4.0.30.Final]
    at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:959) ~[netty-handler-4.0.30.Final.jar:4.0.30.Final]
    at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:327) ~[netty-codec-4.0.30.Final.jar:4.0.30.Final]
    at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:230) ~[netty-codec-4.0.30.Final.jar:4.0.30.Final]
    at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:308) ~[netty-transport-4.0.30.Final.jar:4.0.30.Final]
    at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:294) ~[netty-transport-4.0.30.Final.jar:4.0.30.Final]
    at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:846) ~[netty-transport-4.0.30.Final.jar:4.0.30.Final]
    at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:131) ~[netty-transport-4.0.30.Final.jar:4.0.30.Final]
    at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:511) ~[netty-transport-4.0.30.Final.jar:4.0.30.Final]
    at io.netty.channel.nio.NioEventLoop.processSelectedKeysOptimized(NioEventLoop.java:468) ~[netty-transport-4.0.30.Final.jar:4.0.30.Final]
    at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:382) ~[netty-transport-4.0.30.Final.jar:4.0.30.Final]
    at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:354) ~[netty-transport-4.0.30.Final.jar:4.0.30.Final]
    at io.netty.util.concurrent.SingleThreadEventExecutor$2.run(SingleThreadEventExecutor.java:110) ~[netty-common-4.0.30.Final.jar:4.0.30.Final]
    ... 1 more

This issue occurs when the backend server's SNI support returns a TLS 112 alert. This happens when the client (PA) specifies a hostname that the server does not support.
 

Solution:

The back-end server needs to be modified so that its SNI configuration expects the hostname provided in the PingAccess Site definition. For example, with the Apache HTTPD server, this can be done by modifying the VirtualHost to include a ServerAlias that corresponds to the PA Site's hostname. More concretely, if the Site was mysite1.example.com:443, you would add the directive

ServerAlias mysite1.example.com


 

Category:
KB or other URL: