Apigee edge proxy throws ssl handshake failed

Former Community Member · 11-15-2021 12:23 AM

I am trying to send a ping using a javascript callout, for some reason no matter what I try, I keep getting SSL handshake failure.

tried the same with service callout, got the same error.

dchiesa1

Let's first focus on ServiceCallout because it's easier to focus on one policy. If you get the SSL Handshake to succeed there, its likely you will have the problem solved for the JS callout too.

Can you post the SSLInfo stanza you used for ServiceCallout?

And can you describe (show) the contents of the TrustStore ? And can you verify that one of the certs there is the root cert corresponding to the newrelic endpoint you are contacting? You may want to try using openssl s_client to check the cert chain from newrelic (hints here) to verify that the root cert you have in your truststore is the correct match for the cert chain newrelic is presenting.

Why do you need this? When using TLS, you need to specify some params for the TLS negotiation. In various places in Apigee, the SSLInfo element is used to specify those parameters. These include the Truststore, and maybe the list of ciphers and protocols you want to support. The truststore needs to be loaded with the trusted root certificates.

AFAIK, The behavior of the TLS negotiation between Apigee and some other endpoint is not defined if you do not specify an SSLInfo element. If you have. no SSLInfo element, that could be the reason you are seeing "SSL Handshake failed."

Former Community Member

like you asked I focused on the ServiceCallout but had no luck.

I had tried a few things with the SSLInfo element,
- Tried giving the truststore with newrelic's root cert.(and had verified the root with openssl s_client)

- Tried giving a Cipher suite that is supported by newrelic api(ECDHE-RSA-AES128-GCM-SHA256).

- Newrelic Api requires to do a TLS(https) and only supports tls1.2 and above.

I have been trying in an older organization(say "orgA"). On further trial and error, I found out that the same code works on a newer organization (say "orgB"), both the service callout and javascript callout are working for me in orgB, even without the SSLInfo element. The only difference that I have noticed is orgB is old and has expired its trial certificate(virtual hosts) while orgA is new and we are using the trial certificate for orgA.

would be great if I could make it work in orgA since all my proxies are in orgA.

dchiesa1

had no luck.

If you're using Apigee OPDK, check the Message Processor system.log for diagnostic information on the TLS handshake failure. If you're using Apigee Edge SaaS, then you will need to contact Apigee support to further diagnose this.

Tried giving the truststore with newrelic's root cert.(and had verified the root with openssl s_client)

Maybe I am misunderstanding you, but.... It's not newrelic's certificate that needs to be in the TrustStore. It's the certificate belonging to the party that SIGNED newrelic's cert. There's a trustchain. You need the originating link in the chain in the truststore - the certificate of the root CA. It will belong to a party like GlobalSign or Entrust or DigiCert or Go Daddy, and it will be signed by itself.

According to my check just now, the root CA for newrelic is DigiCert.

$ openssl s_client -showcerts -connect api.newrelic.com:443 
CONNECTED(00000005)
depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA
verify return:1
depth=1 C = US, O = DigiCert Inc, CN = DigiCert TLS RSA SHA256 2020 CA1
verify return:1
depth=0 C = US, ST = California, L = San Francisco, O = "New Relic, Inc.", CN = *.newrelic.com
verify return:1

So if you are using api.newrelic.com as the target API endpoint, you need the certificate for the DigiCert Root CA in your Apigee TrustStore.

Do you have that?

You can get the right cert from mkcert.org. Here's one possibility:

curl https://mkcert.org/generate/digicert

But you don't need ALL of those certs. Just the one labeled "DigiCert Global Root CA". It looks like this:

# Issuer: CN=DigiCert Global Root CA O=DigiCert Inc OU=www.digicert.com
# Subject: CN=DigiCert Global Root CA O=DigiCert Inc OU=www.digicert.com
# Label: "DigiCert Global Root CA"
# Serial: 10944719598952040374951832963794454346
# MD5 Fingerprint: 79:e4:a9:84:0d:7d:3a:96:d7:c0:4f:e2:43:4c:89:2e
# SHA1 Fingerprint: a8:98:5d:3a:65:e5:e5:c4:b2:d7:d6:6d:40:c6:dd:2f:b1:9c:54:36
# SHA256 Fingerprint: 43:48:a0:e9:44:4c:78:cb:26:5e:05:8d:5e:89:44:b4:d8:4f:96:62:bd:26:db:25:7f:89:34:a4:43:c7:01:61
-----BEGIN CERTIFICATE-----
MIIDrzCCApegAwIBAgIQCDvgVpBCRrGhdWrJWZHHSjANBgkqhkiG9w0BAQUFADBh
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBD
QTAeFw0wNjExMTAwMDAwMDBaFw0zMTExMTAwMDAwMDBaMGExCzAJBgNVBAYTAlVT
MRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5j
b20xIDAeBgNVBAMTF0RpZ2lDZXJ0IEdsb2JhbCBSb290IENBMIIBIjANBgkqhkiG
9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4jvhEXLeqKTTo1eqUKKPC3eQyaKl7hLOllsB
CSDMAZOnTjC3U/dDxGkAV53ijSLdhwZAAIEJzs4bg7/fzTtxRuLWZscFs3YnFo97
nh6Vfe63SKMI2tavegw5BmV/Sl0fvBf4q77uKNd0f3p4mVmFaG5cIzJLv07A6Fpt
43C/dxC//AH2hdmoRBBYMql1GNXRor5H4idq9Joz+EkIYIvUX7Q6hL+hqkpMfT7P
T19sdl6gSzeRntwi5m3OFBqOasv+zbMUZBfHWymeMr/y7vrTC0LUq7dBMtoM1O/4
gdW7jVg/tRvoSSiicNoxBN33shbyTApOB6jtSj1etX+jkMOvJwIDAQABo2MwYTAO
BgNVHQ8BAf8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUA95QNVbR
TLtm8KPiGxvDl7I90VUwHwYDVR0jBBgwFoAUA95QNVbRTLtm8KPiGxvDl7I90VUw
DQYJKoZIhvcNAQEFBQADggEBAMucN6pIExIK+t1EnE9SsPTfrgT1eXkIoyQY/Esr
hMAtudXH/vTBH1jLuG2cenTnmCmrEbXjcKChzUyImZOMkXDiqw8cvpOp/2PV5Adg
06O/nVsJ8dWO41P0jmP6P6fbtGbfYmbW0W5BjfIttep3Sp+dWOIrWcBAI+0tKIJF
PnlUkiaY4IBIqDfv8NZ5YBberOgOzW6sRBc4L0na4UU+Krk2U886UAb3LujEV0ls
YSEY1QSteDwsOoBrp+uvFRTp2InBuThs4pFsiv9kuXclVzDAGySj4dzp30d8tbQk
CAUw7C29C79Fv1C5qfPrmAESrciIxpg0X40KPMbp1ZWVbd4=
-----END CERTIFICATE-----

If I am misunderstanding, maybe you could show the output of your openssl command and show the contents of your Apigee Truststore. And show the SSLInfo you are using.