Unlock a world of possibilities! Login now and discover the exclusive benefits awaiting you.
You may encounter an error : 400 - Invalid SNI when calling Talend Runtime API (Job as service) after installed 2025-02 patch or later. In the past before the patch version R2025-02 of Talend Runtime Server, it did work well when using the same certificate for SSL connection with Talend Runtime Server and did not cause any issue.
The SNI validation is active after 2025-02 patch or later.
Resolution
There are three options to slove this issue
- Obtain and install a proper certificate that references the correct host name and then access it with the hostname rather than by IP.
- Disable SNI host check.
- Tell Talend component to resolve IP as hostname
Disable SNI Host Check
This has the same security risk as jetty before it was updated (low security)
In <RuntimeInstallationFolder>/etc/org.ops4j.pax.web.cfg file, please add
jetty.ssl.sniRequired=false
and
jetty.ssl.sniHostCheck=false
Or configuring these jetty parameters in <RuntimeInstallationFolder>/etc/jetty.xml or jetty-ssl.xml file
- Find the <New class="org.eclipse.jetty.server.SecureRequestCustomizer"> block in your jetty.xml or jetty-ssl.xml
- Edit the <Arg name="sniRequired" ...> and <Arg name="sniHostCheck" ...> lines so that the properties' defaults are set to false as shown below:
<New id="sslHttpConfig" class="org.eclipse.jetty.server.HttpConfiguration">
<Arg><Ref refid="httpConfig"/></Arg>
<Call name="addCustomizer">
<Arg>
<New class="org.eclipse.jetty.server.SecureRequestCustomizer">
<Arg name="sniRequired" type="boolean">
<Property name="jetty.ssl.sniRequired" default="false"/>
</Arg>
<Arg name="sniHostCheck" type="boolean">
<Property name="jetty.ssl.sniHostCheck" default="false"/>
</Arg>
<Arg name="stsMaxAgeSeconds" type="int">
<Property name="jetty.ssl.stsMaxAgeSeconds" default="-1"/>
</Arg>
<Arg name="stsIncludeSubdomains" type="boolean">
<Property name="jetty.ssl.stsIncludeSubdomains" default="false"/>
</Arg>
</New>
</Arg>
</Call>
</New>
Resolve IP to Hostname
If the certification includes the domain name, you should use that domain name instead of the IP with the Jetty security updates in Talend Runtime Server.
But if your DNS server does not resolve the IP, you must call it by the IP address, so please check it at first to see if the workaround is feasible for your current situation.
In the examples the hostname is unresolvedhost.net and the IP is 10.20.30.40.
Try this API call at the command line:
curl -k -X GET --resolve unresolvedhost.net:9001:10.20.30.40 https://unresolvedhost.net:9001/services/
or
curl -k -X GET -H "Host: unresolvedhost.net" https://10.20.30.20:9001/services/
If this works, in your Talend component that makes the API call, go to "Advanced settings" or "Headers" table, add a row with Key: Host and Value: The hostname that matches your SSL certificate (e.g. unresolvedhost.net)
This will instruct Talend to send the correct Host header, which most HTTP clients (including Java's HttpClient) will also use as the SNI value during the TLS handshake.
Cause
The SNI enforcement is there for a security reason. With the 2025-02 patch, the Jetty components on Talend Runtime Server resolved a CVE security issue where they allowed a hostname to connect to a server that doesn't match the hostname in the server's TLS certificate.
Certificates require the URI not to be localhost or an IP address, and to have at least one dot, so a fully qualified domain name is best.
Related Content
