question

Make sure your web server isn't configured to use SNI for your skill SSL endpoint. If you host multiple SSL web sites off the same IP, that's a tell that SNI is enabled and you have to restructure your hosting config. The counter isn't necessarily true so even if you're hosting only the skill endpoint off that IP you should check. HTH, Stefan

I'm not versed on how SNI is configured in an apache/openssl environment, I do know my only virtualhost running SSL is the one with the skill and its full ServerName is identical to the certificate's CN. If there is a configuration option somewhere to check that you recommend I'll check there, I'm the sole admin of my own server so I have full access to check things out. Still troubleshooting though. I got my certificate from sslcertificate.com which uses Comodo as the top level CA, should be on the list of Amazon approved ones. My certificate is issued to the subdomain of my main site but that shouldn't impact it, I don't want to have to acquire a unique domain name for the skill. (I'd prefer to develop this completely from scratch on my own server so I'm not going to swap this onto AWS just to get around this SSL issue, although I know that'd be an easier way to get going, naturally.)

Depending on your purposes, you could also just use a Lambda passthrough and point it to your server and forgo all the SSL headaches. Here's a link to Matt Kruse's, which I use for testing/development: https://forums.developer.amazon.com/forums/thread.jspa?messageID=24503德 It's also possible to use this for a published app, though it certainly circumvents Amazon's intentions -- and if your dealing with private information (email addresses, etc) it seems particularly ill-advised.

@Phoebus: here are some resources: http://serverfault.com/questions/506177/how-can-i-detect-if-a-server-is-using-sni-for-https https://sni.velox.ch/ (this is a SNI test tool for clients not servers but it has samples and pointers to Apache SNI related config)

I'm going to keep on plugging away at the SSL handshake problem for now, a passthru trick would defeat the purpose of some of my original intention with the project. I'll post though if any solution becomes apparent.

@Stefan I'll review that info, thanks. At present though only one domain on the server has SSL connectivity so I don't see how it could configured for SNI. Seems like something in the handshake just goes awry and I feel like it's just a stupid setting that I'm missing or misunderstanding with configuring the certificate.

While reading up on the subject of SNI support, it seems SNI support is baked into many fairly modern OpenSSL & Apache configurations. It operates via TLS extensions in OpenSSL, and mod_ssl in apache determines if TLS Extensions are on and if so, enables SNI. I only have one SSL site on the server and it's the skills-driven one, so I'm trying to determine if there is a way to disable TLS extensions in OpenSSL. Might be sleeping soon so felt I should log this thought before I give up and head to bed, and also put it out there in case it gives anyone else ideas.

One more quick post. So as far as I can tell my server has Apache/OpenSSL updated to versions that are SNI capable and SNI is sort of forced on by default. There are options which mitigate the SNI input but as far as I can tell Alexa skills run on JDK 1.5 (at least according to the user agent string) and it takes JDK 1.7 to properly process SNI-capable hosts. I'd happily disable SNI as my endpoint only runs one website on SSL and that is the skill page and I'm fumbling through options and settings to try to do so, but as of yet I can't make Apache's mod_ssl turn off the SNI compatibility in a way that the Alexa JDK 1.5 will validate through. If anyone knows how to shut off SNI support in Apache/OpenSSL in such a way that enables the Alexa skills platform to communicate properly that'd be greatly appreciated, as that'd be the best solution for me until they update the JDK that Alexa skills uses. So until that happens or until Alexa skills update their model, I really can't use this server to develop the skill as I can't make it compatible and I'm not a superfan of swapping to AWS to develop or setting up some kind of SSL passhtru as mentioned. Bummer. Any input though is appreciated, I'll post again if I figure out anything.