Troubleshooting TLS Handshake Failures with SNI Profiles in API Connect

Troubleshooting

Problem

When a user registers the API Connect Gateway service there's an option to configure Server name indication (SNI). The SNI configures allows for different hostnames to use different TLS Server profiles.

If a user sets up one SNI profile for TLS 1.2 for a specific hostname (e.g., api.example.com) and another default profile (eg. *) for TLS 1.2 and 1.3, TLS handshake failures may occur.

This issue arises due to the SNI server profile object advertising the highest TLS version (TLS 1.3) while the API call is limited to TLS 1.2 (as in the case of api.example.com).

Symptom

Users might see logs like the following:

20250411T142308.487Z [apiconnect][0x8120002f][ssl][error] ssl-server(sni-serverprofile): tid(71360)[10.xxx.x.x]: TLS library error: error:142090C1:SSL routines:tls_early_post_process_client_hello:no shared cipher

20250411T142308.487Z [apiconnect][0x80e00130][mpgw][error] source-https(apiconnect_https_9443): tid(71360)[10.xxx.x.x]: cannot establish TLS for incoming connection

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB77","label":"Automation Platform"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSMNED","label":"IBM API Connect"},"ARM Category":[{"code":"a8mKe000000CaZVIA0","label":"API Connect-\u003EAPIC Gateway"}],"ARM Case Number":"TS018779400","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"and future releases;10.0.5;10.0.8"}]

Log InLog in to view more of this document

This document has the abstract of a technical article that is available to authorized users once you have logged on. Please use Log in button above to access the full document. After log in, if you do not have the right authorization for this document, there will be instructions on what to do next.

Tips

Troubleshooting TLS Handshake Failures with SNI Profiles in API Connect