3411313 - SSSLERR_SERVER_CERT_MISMATCH even when SNI as the HTTPS client is set on the ICM

Symptom

There are outgoing HTTPS connection from the local ABAP system (let it be via SM59 destinations or the application itself) where it fails with a SSSLERR_SERVER_CERT_MISMATCH error as below in the ICM trace file:

Image/data in this KBA is from SAP internal systems, sample data, or demo systems. Any resemblance to real data is purely coincidental.

[Thr 140484128118528] Target Hostname="<target HTTPS server FQDN>"
[Thr 140484128118528] SSL NI-hdl 2662: local=<local ICM IP address>:<port> peer=<target HTTPS server IP address>:<target HTTPS server HTTPS port>
[Thr 140484128118528] <<- ERROR: SapSSLSessionStartNB(sssl_hdl=7fc4e0001870)==SSSLERR_SERVER_CERT_MISMATCH
[Thr 140484128118528] *** ERROR => SSL handshake with <target HTTPS server FQDN>:<target HTTPS server HTTPS port> failed: SSSLERR_SERVER_CERT_MISMATCH (-30)
[Thr 140484128118528] Server certificate does not match supplied TargetHostname (rfc2818 section 3.1)
[Thr 140484128118528]
[Thr 140484128118528] SapSSLSessionStartNB()==SSSLERR_SERVER_CERT_MISMATCH
[Thr 140484128118528] TargetHostname = "<target HTTPS server FQDN>"
[Thr 140484128118528] ServerCert.subject = <CN=<mismatched hostname with the target HTTPS server FQDN>, (...)>

SNI is already configured per SAP Note 2124480.

Environment

SAP Kernel 721 or higher.

Product

ABAP platform all versions ; SAP NetWeaver all versions

Keywords

icm, ssl, handshake, x.509, x509, certificate, authentication, https, http, destination, external server, sni, server name indication, network, dns, mismatch, correct certificate, import, export , KBA , BC-CST-IC , Internet Communication Manager , BC-SEC-SSL , Secure Sockets Layer Protocol , Problem

About this page

This is a preview of a SAP Knowledge Base Article. Click more to access the full version on SAP for Me (Login required).

Search for additional results

Visit SAP Support Portal's SAP Notes and KBA Search.