Skip to content

HTTP 400 Invalid SNI

When a client (web browser) connects to vScope via HTTPS, a modern browser will attempt to use SNI during the handshake process.

SNI tells the web server (vScope) which hostname the client is connecting to and allows the web server to present the correct certificate to the client.

If the certificate contains the hostname or a wildcard matching the hostname, the certificate will be uploaded. However, if the hostname does not match the ones in the certificate then the verification will fail and the browser will get a HTTP 400 “Invalid SNI” error.

Example:

  • Two addresses that resolve to the same IP which has a running vScope
    • vscope.company.com
    • vs.company.com
  • Certificate configured in vScope contains server name = vscope.company.com
  • User uses browser to access vs.company.com

This scenario will result in HTTP 400 “Invalid SNI” if SNI host check is enabled as vs.company.com is not a valid server name in the certificate.

To toggle SNI host check you can add a setting in config.ini. This file is located in the vScopeData folder which was selected during the installation of vScope.

C:\vScopeData\configuration\config.ini

Add the following line at the end of config.ini:

security.jetty.enable.sni.hostcheck=true

A setting of true means that SNI host check is enabled. To disable the check, set the value to false (currently the default setting).

Note: If you are using an IP address to access your vScope you must have SNI host check disabled.