TLS handshake fails during HTTPS callouts when using Client Certificate

Veröffentlichungsdatum: Oct 13, 2022

Beschreibung

When making HTTPS callouts from Salesforce to a target endpoint that has mutually-authenticated TLS (mTLS) (also known as mutual authentication) enabled, the client certificate will be sent in these scenarios:

a) If the server returns an empty list of accepted client certificate signing certificate distinguished names (DNs), Salesforce will send the callout's configured client certificate if one was set, regardless of the certificate's signer. This is a form of the remote server asking for any client certificate.

NOTE: The list of accepted client certificates can be checked for instance by using openssl:

openssl s_client -connect <domain>:443

If the server doesn't explicitly return a list of DNs, you'll see this: "No client certificate CA names sent".

b) If the server returns a list of accepted client certificate signing certificate distinguished names (DNs) (in the HTTPS ServerHello message), Salesforce will send the configured client certificate (which is done via setClientCertificate()) if that certificate chains up to at least one of the signing cert DNs returned by the server in its client certificate request. Otherwise, the configured client certificate will not be sent by Salesforce.

Lösung

If you need further assistance, contact Salesforce Support, and provide a Wireshark capture taken on the remote server showing the failing handshake.

Nummer des Knowledge-Artikels

000386138

Konnten Sie Ihr Problem mithilfe dieses Artikels lösen?

Geben Sie uns Feedback, damit wir uns verbessern können.

TLS handshake fails during HTTPS callouts when using Client Certificate

General Information

Required Cookies

Functional Cookies

Advertising Cookies

General Information

Required Cookies

Functional Cookies

Advertising Cookies

Cookie List