SSL Handshake errors when making API queries via Java clients

Incident Report for Salsify

Resolved

Our engineering team investigated reports of SSL handshake errors when making API queries to Salsify from Java clients.

As part of the mandatory refresh of our SSL certificates, some customers were affected by a change that Amazon, as our certificate provider, made in their practice as a certificate authority.

On 2/14, Amazon updated the SSL cert for *.salsify.com.

Amazon has stopped cross-signing their certs with Starfield Class 2, operated by GoDaddy. As a result, clients which relied on that trust relationship will no longer be able to complete the SSL handshake with https://app.salsify.com. To resolve this, you must either:

1. Update your application's list of trusted root CAs to include Amazon's Root CA 1 certificate, using the certificate found here: https://www.amazontrust.com/repository/

2. Update your application to run on a runtime which already supports Amazon's Root CA 1 certificate.
Amazon has provided a list of common runtimes which support their CA (almost all platforms and runtimes released in the last 10 years) in FAQ #1 of their announcement of this change: https://aws.amazon.com/blogs/security/acm-will-no-longer-cross-sign-certificates-with-starfield-class-2-starting-august-2024/

In particular, Java runtimes prior to Java 9 (except Java 8 Update 25 or later and Java 7 Update 75 or later) would need to be updated to a newer version of Java or have their list of trusted root CA's updated.

Please reach out to customer support at https://help.salsify.com/help/contact-feedback for any questions regarding this subject.

Posted Feb 19, 2025 - 13:03 EST

Monitoring

Our engineering team has been investigating reports of SSL handshake errors when making API queries to Salsify from Java clients.

As part of the mandatory refresh of our SSL certificates, some customers may be affected by a change that Amazon, as our certificate provider, has made in their practice as a certificate authority.

On 2/14, Amazon updated the SSL cert for *.salsify.com.
Amazon has stopped cross-signing their certs with Starfield Class 2, operated by GoDaddy. As a result, clients which relied on that trust relationship will no longer be able to complete the SSL handshake with https://app.salsify.com. To resolve this, you must either:

1. Update your application's list of trusted root CAs to include Amazon's Root CA 1 certificate, using the certificate found here: https://www.amazontrust.com/repository/

2. Update your application to run on a runtime which already supports Amazon's Root CA 1 certificate.

Amazon has provided a list of common runtimes which support their CA (almost all platforms and runtimes released in the last 10 years) in FAQ #1 of their announcement of this change: https://aws.amazon.com/blogs/security/acm-will-no-longer-cross-sign-certificates-with-starfield-class-2-starting-august-2024/

In particular, Java runtimes prior to Java 9 (except Java 8 Update 25 or later and Java 7 Update 75 or later) would need to be updated to a newer version of Java or have their list of trusted root CA's updated.

Please reach out to customer support at https://help.salsify.com/help/contact-feedback for any questions regarding this subject.

Posted Feb 17, 2025 - 13:34 EST

Investigating

Our engineering team is investigating reports of SSL handshake errors when making API queries to Salsify from Java clients.

Please reach out to customer support at https://help.salsify.com/help/contact-feedback for any questions regarding this subject.

Posted Feb 17, 2025 - 11:08 EST

This incident affected: Salsify Application (Salsify Application).