HTTP Error Invalid SNI

[tresf]

Since we updated Jetty, attempts to load the HTTP about page from the wrong domain or IP address (e.g. 127.0.0.1) will fail with the following error.

org.eclipse.jetty.http.BadMessageException: 400: Invalid SNI

Affected:

• QZ Tray: 2.2.3

This is also explained here https://stackoverflow.com/a/69945374/3196753 and here:

SNI (server name indication) is a TLS extension that allows a client to indicate the server name (domain) it is issuing a request for which is helpful when multiple domains are hosted at the same IP address. This indication is available before TLS handshaking occurs which gives the server an opportunity to present a different certificate for each server name (domain) that is being hosted. [QZ Tray] only hosts one domain (per environment) and only has one certificate. Therefore, SNI is unnecessary for its intended purpose for [QZ Tray]. Note as well that SNI is not a security mechanism -- it merely allows clients to indicate which domain they are trying to reach so that the correct certificate will be returned from the server to prove its legitimacy to the client.

SNI does not influence the way that the server validates client certificates or any other aspects of TLS. By default, SNI is not required by Jetty and [QZ Tray] does not override that. However, if SNI is provided by the client, Jetty 10 will, by default, check that the host passed matches a certificate that is available to the server. This is a change from Jetty 9 which did not perform this SNI validation. [The workflow of configuring a print server with QZ Tray is encumbered by this, so in] Jetty 10, we turn off the Jetty SNI host name checking here.

[tresf]

This will be fixed in QZ Tray 2.2.4, or available immediately as 2.2.3+10 for Company Branded customers.