Why does HTTPS work through the OpenZiti Tunnel but fail when using the SDK?

SDK Questions sdk-swift
1

Hi everyone,

I’m evaluating OpenZiti for HTTPS traffic and have run into a puzzling issue: HTTPS requests work flawlessly when routed through the Ziti Tunnel but consistently fail when using the OpenZiti SDK.

Has anyone experienced this? Some questions I have:

  • Why does HTTPS succeed over the Ziti Tunnel but break in the SDK?
  • How does the Tunnel’s TLS handling differ from the SDK’s transport layer?
  • Is the SDK stripping or re‑terminating SSL/TLS in a way that disrupts end‑to‑end encryption?
  • Are there SDK settings or hooks to preserve the original TLS handshake?
  • What identity or authentication checks does the SDK enforce that the Tunnel bypasses?

Any examples, advice, or documentation pointers would be greatly appreciated!

Thanks in advance!

1 Like
2

I'm guessing the failure you encountered involved the client software verifying that the server's certificate contains an SAN that matches the requested server name.

Or, was it a problem with the TLS handshake?

If it was the server name/host not matching the SAN, which SDK did you use? Some SDKs implement the client side as a socket handler, and others by hooking/intercepting the DNS lookup, so I'm wondering if your implementation might be inserting Ziti in such a way that it disrupts the SAN check.

3

How is your application using the OpenZiti Swift SDK? and can you identity how it is failing?

Tunnelers are applications that use their own tcp/ip stack to capture network packets and proxy them to OpenZiti overlay connections. The only TLS handling that the tunneler does is between itself and the OpenZiti components (edge routers, controllers). Connections for tunneled applications are opaque to the tunneler, and are passed through bit-for-bit (including any TLS handshake that the underlying application requires).

The OpenZiti SDKs are available for developers who want to write their own "OpenZiti native" applications, so the application would likely be coded to dial an OpenZiti service by name instead connecting a socket to an IP:port.

The Swift SDK Reference has some examples that might be helpful.