I am having a strange issue with system.net.HTTP calls to an api endpoint. It works from console in designer on my windows machine but fails from gateway script context. The root cause appears to be that during TLS negotiation the Ignition Gateway does not send SNI. It also for whatever reason only tries TLSv1.2. I have pcaps that show that the TCP handshake completes and then at Hello Client the endpoint rejects it (because no SNI is sent by gateway). I have tried to set the java property during the event script
from java.lang import System System.setProperty("jsse.enableSNIExtension", "true") System.setProperty("jdk.tls.client.protocols", "TLSv1.3")
but it still tries to do the wrong TLS negotiation
from the console script it has no problem:
So to summarize, the Gateway is picking the wrong TLS version, and not sending over SNI. It is not a networking problem because I can see the traffic on 443 is allowed, and the endpoint definitely has the public address range whitelisted.
These calls aren't going to the same destination IP address. There's probably a proxy or network/firewall in the middle of one of these but not the other, or some other networking difference.
Yes that is correct, but not the problem. Even the the console script will get routed to different IP. The networking side public IP Address range is allowed to hit the endpoint but the actual endpoint address changes. We are using hostname in api call.
Also, since I have access to your pcaps via support
The one connection attempt to any of the IP addresses associated with this hostname in the captures you provided does use SNI.
It opens with an identical TLS handshake/hello to your success capture from the machine with the Designer, including inidicating it supports both TLS 1.3 and TLS 1.2, and prefers TLS 1.3.
The only difference is Wireshark identifies it as TLS 1.3 because it has a subsequent response from the server where the server chose TLS 1.3.
I think you are confusing pcaps, I sent both successful and not successful. There is never any instance I have seen in the pcaps where it succeeds to send hello client from gateway with SNI. Only the successful one from the console uses SNI. This is Ignition 8.1.47
Oh you are right the raw pcap does have it, I was just using Wireshark UI without looking at the raw txt file… oops. Ok I can look back the endpoint again with this info. TLS 1.2 is supported by the endpoint so version shouldn’t matter.
