SNI (Server Name Indication) Now Required for Anypoint MQ and Object Store TLS Connections

Summary

Connections to Anypoint MQ and Object Store endpoints that do not include a valid Server Name Indication (SNI) extension in the TLS handshake will be rejected.

Symptoms

Customers may observe TLS connection failures or refused connections when attempting to connect to Anypoint MQ or Object Store endpoints. 

Cause

Anypoint MQ and Object Store endpoints are continuously hardened to comply with Salesforce Security Standards, which require all TLS connections to carry a valid Server Name Indication (SNI) extension. As part of this ongoing hardening, connections that present an empty or missing SNI field — long discouraged in modern TLS guidance and incompatible with the load-balancing and certificate-routing controls used at the edge — are no longer accepted. SNI is now mandatory on every TLS handshake to Anypoint MQ and Object Store; this is the supported end state and is not being relaxed.

Resolution / Workaround

Connections to Anypoint MQ and Object Store V2 must include a valid Server Name Indication (SNI) value during the TLS handshake. Connections with an empty or missing SNI field are no longer supported and will be rejected.

Affected Products

• Anypoint MQ Broker API 
• Anypoint Object Store V2

Not affected

• Anypont MQ connector
• Anypoint MQ Admin API
• Anypoint MQ Stats API
• Object Store Connector using the Object Store V2 Service