[IGN-7019] HTTP ERROR 400 Invalid SNI

Just jumped a staging server up to the 8.1.25 nightly 2023-01-09 snapshot and every HTTPS access is getting SNI errors.

In the wrapper logs I see this:


INFO   | jvm 1    | 2023/01/10 15:38:20 | W [o.e.j.s.HttpChannel           ] [15:38:20]: handleException /data/perspective/runnable-projects org.eclipse.jetty.http.BadMessageException: 400: Invalid SNI

In the browser I see this:

HTTP ERROR 400 Invalid SNI

URI: /web
STATUS: 400
MESSAGE: Invalid SNI
SERVLET: -
CAUSED BY: org.eclipse.jetty.http.BadMessageException: 400: Invalid SNI

Caused by:

org.eclipse.jetty.http.BadMessageException: 400: Invalid SNI at org.eclipse.jetty.server.SecureRequestCustomizer.customize(SecureRequestCustomizer.java:266) at org.eclipse.jetty.server.SecureRequestCustomizer.customize(SecureRequestCustomizer.java:207) at org.eclipse.jetty.server.HttpChannel.lambda$handle$0(HttpChannel.java:501) at org.eclipse.jetty.server.HttpChannel.dispatch(HttpChannel.java:762) at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:497) at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:282) at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:314) at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:100) at org.eclipse.jetty.io.ssl.SslConnection$DecryptedEndPoint.onFillable(SslConnection.java:558) at org.eclipse.jetty.io.ssl.SslConnection.onFillable(SslConnection.java:379) at org.eclipse.jetty.io.ssl.SslConnection$2.succeeded(SslConnection.java:146) at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:100) at org.eclipse.jetty.io.SelectableChannelEndPoint$1.run(SelectableChannelEndPoint.java:53) at org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.runTask(AdaptiveExecutionStrategy.java:416) at org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.consumeTask(AdaptiveExecutionStrategy.java:385) at org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.tryProduce(AdaptiveExecutionStrategy.java:272) at org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.lambda$new$0(AdaptiveExecutionStrategy.java:140) at org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:411) at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:934) at org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:1078) at java.base/java.lang.Thread.run(Unknown Source)

In our case I am accessing the system via alternate DNS names that do not match the certificate, but this has not been an issue like this before.

Going to roll back the staging server for now, but was hoping for some feedback if this is a known issue or there is a workaround so I can decide how to approach this upgrade again in the future.

What version are you upgrading from?

8.1.22

We're looking at this, but right now it seems that the Jetty upgrade we did for 8.1.25 may have enabled SNI by default.

This issue should be fixed in the latest early access build. See: Nightly 8.1 Changelogs - 2022 - #187 by sreis

Time to start a 2023 changelog topic?

1 Like

Oh yeah, probably. I've let Sabrina know :+1: