Solved: Re: Can you set the TLS SNI host name in a UCCX rest call?

Clifford McGlamry · ‎11-29-2023

I have a customer that has a script making a REST call that is failing. In troubleshooting, the customer's security people are saying it's failing because UCCX is not sending the TLS SNI field in the TLS hello, and because of this their FortiWeb doesn't know what server to route the request to.

This is a new one to me. Has anyone else run across this? Is this even possible?

Clifford McGlamry · ‎11-29-2023

Well, a coworker sent me this: https://bst.cisco.com/bugsearch/bug/CSCwb74848

Apparently, it's not currently supported.

View solution in original post

Clifford McGlamry · ‎11-29-2023

Well, a coworker sent me this: https://bst.cisco.com/bugsearch/bug/CSCwb74848

Apparently, it's not currently supported.

mparra.fusionet · ‎01-16-2024

Hi @Clifford McGlamry, I opened a TAC case because I ran exactly into the same thing, the bug is quite misleading, our client has AS and they were able to find that there is a Patch, I am waiting on them to verify the packet capture and UCCX logs showing that the SNI is not being sent in the TLS Client Hello to provide the patch to test it

mparra.fusionet · ‎02-06-2024

Finally I was able to get TAC to do the workaround on the Linux OS root and it is working!, It is key to be at 12.5.1 SU3 minimum to apply this workaround otherwise it won't work, at some point they will have a patch but if anybody runs into this issue, please contact TAC and ask for the manual workaround (jar file that needs to be copied via the UCCX Linux root).