Have a Question?
Print

KB – Invalid SNI message in BBj 24+

In BBj 24.00,  customers using the default BASIS self-signed SSL certificate may stumble across an Invalid SNI message when accessing web pages on their BBj Jetty using a secure HTTPS connection.

What does this mean?

SNI , or Server Name Indication, is an extension of the TLS protocol that allows a client, such as a web browser, to indicate which hostname it is attempting to connect to during the SSL handshake process. When an “Invalid SNI” error occurs, it signifies that the server received a request with a hostname that does not correspond to any listed in the SSL certificate.  If you are utilizing the default self-signed SSL certificate provided by BASIS during the installation of BBjServices, it is important to note that the hostname in the certificate will not match the hostname of your server.  Historically, this discrepancy did not pose significant issues. However, recent updates to the Jetty server have introduced stricter enforcement of SNI checking on HTTPS connections, unless additional measures are taken.

How to Resolve

To address the ‘Invalid SNI’ error, you have several options available. The most recommended approach is to obtain a valid SSL certificate for your server, ensuring that the SNI values match your domains. It’s important to recognize that the default self-signed certificate provided by BASIS serves as a placeholder and should be promptly replaced to bolster security. Alternatively, you can generate your own self-signed certificate that contains the correct domain name, however, it is worth noting this does not offer the same level of security as an official SSL certificate.

Finally , for those who are simply troubleshooting the issue, we have introduced a configuration option that reverts the Jetty server back to its original behavior. This can be done by setting the property “com.basis.server.jetty.SniHostCheck=false” in the BBj.properties file.

BBj 24.01

BBj 24.01 now includes an Enterprise Manager setting to set this property. 

BBj 24.02

In Rev 24.02 the default is now “False” for Check SNI Host.


The two additional properties are:

SNI Required – Whether SNI is required at the HTTP level, defaults to false. When “SNI Required” is set to true, the SNI is matched against the certificate sent to the client, and only if there is a match the request is accepted. See the following for more information:
https://eclipse.dev/jetty/documentation/jetty-11/operations-guide/index.html#og-protocols-ssl-sni:~:text=to%20the%20server%3A-,jetty.ssl.sniRequired,-Whether%20SNI%20is

SSL Context SNI Required – Whether SNI is required at the TLS level, defaults to false. When “SSL Context SNI Required” is set to true, clients that don’t send a valid SNI receive a TLS failure, and their attempt to connect to the server fails. See the following for more information:
https://eclipse.dev/jetty/documentation/jetty-11/operations-guide/index.html#og-protocols-ssl-sni:~:text=TLS%20level%20is%3A-,jetty.sslContext.sniRequired,-Whether%20SNI%20is

Additional Reading:

https://www.cloudflare.com/learning/ssl/what-is-sni

Table of Contents
Scroll to Top