Loading

Resolve HTTPS/SSL connection errors in Hyperforce with SNI

Udgivelsesdato: Jan 16, 2026
Beskrivelse

Background

In Hyperforce, each Salesforce domain listed here has a separate HTTPS certificate. To serve the correct certificate, Hyperforce requires web browsers and API callers to specify the desired domain by including a Service Name Indication (SNI) extension in the mTLS ClientHello message. You can read more about SNIs on the Cloudflare website.

In most situations, certificate handling is transparent for Hyperforce customers. Modern web browsers consistently include SNI in their TLS ClientHello messages as part of the SSL handshake with the Salesforce server. And in the absence of SNI, Hyperforce returns a default certificate that supports all *.my.salesforce.com and *.sandbox.my.salesforce.com domains. This covers most use cases.

In a small number of cases, users experience HTTPS handshake errors after migrating to Hyperforce. These errors can occur when:

  • An API client accesses a hostname that isn’t in the *.my.salesforce.com or *.sandbox.my.salesforce.com domains and doesn’t send SNI.
  • A customer is using Salesforce Experience Sites or Salesforce Sites with a custom domain served by the customer’s own content delivery network (CDN). The CDN either doesn’t support SNI, or it sends the custom domain in the SNI instead of the originating *.force.com domain.

In both situations, Salesforce returns an HTTPS certificate that doesn’t cover the domain that the API client or the CDN was expecting, resulting in an HTTPS certificate mismatch.

This article explains how to identify and resolve these rare use cases.

Løsning

Symptoms

After migrating to Hyperforce, users or API clients receive an error or exception in the SSL handshake. For example, an API client or third-party CDN indicates an ‘SSLHandshakeException’ after sending a request to the Salesforce service.

Diagnosis and Solution

The solution varies depending on the error’s location.

Error during an API Call

The error occurs when an API client calls a Salesforce API endpoint with a domain name other than *.my.salesforce.com or *.sandbox.my.salesforce.com.

To resolve HTTPS errors from an API client caller, choose one of these solutions:

  • Modify the API client caller to include SNI in their TLS ClientHello message; or
  • Change the API client’s Salesforce API endpoint to access a hostname that is in the *.my.salesforce.com or *.sandbox.my.salesforce.com domain.

Error Between a Third-Party CDN and a Salesforce Experience Site

Some Salesforce Experience Sites use custom domains that are served by a third-party CDN.

The error occurs between the CDN and the Salesforce Experience site when a user attempts to visit the site. If the CDN’s default error page doesn’t mention the SSL error, check the CDN’s error log.

To resolve HTTPS errors caused by the usage of a third-party CDN serving custom domains for Experience Sites:

  • Configure the CDN to not send SNI, and
  • Ensure that the CDN expects an HTTPS certificate that includes *.my.salesforce.com in its Subject Alternative Name (SAN) list.

Error When using *.cloudforce.com or *.database.com

The error occurs when client code calls an endpoint on *.cloudforce.com or *.database.com

This is a special case of Error during an API Call, and can be resolved as described above.

Alternately, to resolve issues when addressing *.cloudforce.com or *.database.com:

  • Enable the Enhanced Domains feature. Enhanced Domains will redirect traffic from these domains to *.my.salesforce.com.

The *.cloudforce.com or *.database.com domains are being retired. Using Enhanced Domains is a recommended best practice, especially for customers still using these domains. Adopting Enhanced Domains before upgrading to Hyperforce can prevent SNI-related connection problems.
Vidensartikelnummer

000392990

 
Indlæser
Salesforce Help | Article