TLS Handshake Failure

[Mike Henderson]

Did the open sandbox TLS configuration recently change?

I am now getting TLS handshake errors, last successful connection was Feb 22nd (detail below)

What I've done:

• I am able to successfully connect using curl and Postman from the same machine.
• Can replicate from app running different hardware on separate network.
• Updating my application TLS config to use the cipher options used by curl. 
• Confirmed cipher selected from curl handshake is present in my app Client Hello.
• Turned off all versions of SSL and TLSv1.0 (from the FAQ: http://fhir.cerner.com/millennium/faq/common-issues/#tls-configuration)
  

There is no detail in the error returned by the sandbox, just "handshake failure".

The significant Client Hello differences between the successful curl and failed app call are in the "Extensions". Is there a TLS extension my application will need to now include/omit to ensure a successful handhake?

Detail:

• Test URL: curl -v -H "Accept: application/json+fhir" "https://fhir-open.sandboxcerner.com/dstu2/0b8a0111-e8e6-4c26-a91c-5069cbc6b1ca/metadata"
• Curl Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
• Curl Cipher selected: ECDHE-RSA-AES128-GCM-SHA256
• Last successful connection from application: 2018-02-22T15:46:27Z
• Last successful connection X-Request-Id: 2ed94731a077da0eafe3ee2cfa5968a7
  

Thanks,
Mike

[Matthew Beermann (Cerner)]

Is there a TLS extension my application will need to now include/omit to ensure a successful handshake?

Possibly; it appears that the Server Name Indication (SNI) extension might've become mandatory on or around that date. You might poke around in your HTTP client library and see what you can find on that topic.